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Abstract 

The existence of quantum uncertainty relations is the essential reason that some classically impossible 
cryptographic primitives become possible when quantum communication is allowed. One direct operationa l 
manifestation of these uncertainty relations is a purely quantum effect referred to as information locking IDH L + 04l . 
A locking scheme can be viewed as a cryptographic protocol in which a uniformly random n-bit message is 
encoded in a quantum system using a classical key of size much smaller than n. Without the key no measurement 
of this quantum state can extract more than a negligible amount of information about the message, in which case 
the message is said to be "locked". Furthermore, knowing the key, it is possible to recover, that is "unlock", the 
message. 

In this paper, we make the following contributions by exploiting a connection between uncertainty relations 
and low-distortion embeddings of £2 into l\ . 

• We introduce the notion of metric uncertainty relations and connect it to low-distortion embeddings of I2 into 
t\. A metric uncertainty relation also implies an entropic uncertainty relation. 

• We prove that random bases satisfy uncertainty relations with a stronger definition and better parameters 
than previously known. Our proof is also considerably simpler than earlier proofs. We apply this result to 
show the existence of locking schemes with key size independent of the message length. 

• We give efficient constructions of metric uncertainty relations. The bases defining these metric uncertainty 
relations are computable by quantum circuits of almost linear size. This leads to the first explicit construction 
of a strong information locking scheme. Moreover, we present a locking scheme that is close to being 
implementable with current technology. These constructions are obtained by adapting an explicit norm 
embedding due to Indyk ] Ind07 [ and an extractor construction of Guruswami, Umans and Vadhan | GUV09 1 . 

• We apply our metric uncertainty relations to exhibit communication protocols that perform equality testing 
of n-qubit states. We prove that this task can be performed by a single message protocol using 0(log(l/e)) 
qubits and n bits of communication, where e is an error parameter. We also give a single message protocol 
that uses 0(log 2 n) qubits, where the computation of the sender is efficient. 

Keywords: uncertainty relations, information locking, low-distortion norm embedding, quantum 
identification, quantum equality testing, randomness extractors, quantum cryptography. 
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1 Introduction 



Uncertainty relations express the fundamental incompatibility of certain measurements in quantum mechanics. 
Far from just being puzzling constraints on our ability to know the state of a quantum system, uncertainty 
relations are arguably at the heart of why some classically impossible cryptographic primitives become possible 
when quantum communication is allowed. For example, so-called entropic uncertainty relations introduced in 
|BBM75 Deu83| are the main ingredients of security proofs in the bounded and noisy quantum storage models 
|DFSS05 DFR+07, KWW09|. A simple example of an entropic uncertainty relation was given by Maassen and 
Uffink |MU88J. Let B+ denote a "rectilinear" or computational basis of C 2 and B x be a "diagonal" or Hadamard 
basis and let B + ™ and B x ™ be the corresponding bases obtained on the tensor product space (C 2 )®". Then we have 
that for any quantum state on n qubits described by a unit vector \if;) e (C 2 )®", the average measurement entropy 
satisfies 

1 Ti 

-{U(p B+niW ) + U( PBxn . m ))>- (1) 

where Pb,\4>) denotes the outcome probability distribution when \ip) is measured in basis B and H denotes the 
Shannon entropy. Equation |TJ expresses the fact that measuring in a random basis Bk where K G„ {+", x™} 
produces an outcome that has some uncertainty irrespective of the state being measured. 

A surprising application of entropic uncertainty relations is the effect known as information locking [DH L+041 
(see also | Leu09 1 ) . Suppose Alice holds a uniformly distributed random n-bit string X . She chooses a random basis 
K G u {+", x™} and encodes X in the basis Bk- This random quantum state £(X, K) is then given to Bob. How 
much information about X can Bob, who does not know K, extract from this quantum state via a measurement? 
To better appreciate the quantum case, observe that if X were encoded in a classical state £ C (X, K), then £ C (X, K) 
would "hide" at most one bit about X; more precisely, the mutual information I(X;£ C (X, K)) > n — 1. For 
the quantum encoding £ , one can show that for any measurement that Bob applies on £(X, K) whose outcome is 
denoted /, we have I(X; I) < n/2 [DHL+04J. The n/2 missing bits of information about X are said to be locked in 
the quantum state £ (X, K). If Bob had access to K, then X can be easily obtained from £ (X, K): The one-bit key 
K can be used to unlock n/2 bits about X. 

A natural question is whether it is possible to lock more than n/2 bits in this way. In order to achieve this, the 
key K has to be chosen from a larger set. In terms of uncertainty relations, this means that we need to consider 
more than two bases to achieve an average measurement entropy larger than n/2 (equation |TJ). The authors of 
|HLSW04| show the existence of an encoding that locks n - 3 bits about X e {0, 1}™ using a key K e {0, i} 41 °s". 
They prove this result by showing that random bases satisfy entropic uncertainty relations of the form |TJ with more 
than two measurements. Recently, |DuplO DFHL10] prove that random encodings exhibit a locking behaviour in 
a stronger sense and that it is possible to lock up to n — 5 bits for any arbitrarily small constant 6 while still using 
a key of O(logn) bits. In this setting, a locking scheme can be viewed as a cryptographic protocol that uses a key 
of size 0(log n) to encrypt a random classical n-bit message in a quantum state. Knowing the key, it is possible to 
recover the message from this quantum state. However, without the key, for any measurement, the distribution 
of the message X conditioned on the outcome I of the measurement is close to the prior distribution of X in total 
variation distance. 

It should be noted that entropic uncertainty relations of the form of |TJ with t > 2 measurements are not well 
understood. A natural generalization of rectilinear + n and diagonal bases x " called mutually unbiased bases does 
not work as well for more than two measurements. In fact, it was shown in | BW07 , Amb09 ] that there are arbitrarily 
large sets of mutually unbiased bases {Bq, B\, . . . , Bj-i} that only satisfy an average measurement entropy of n/2, 
which is only as good as what can be achieved with two measurements Q. To achieve an average measurement 
entropy of ( 1 — e) n for small e while keeping the number of bases subexponential in n, the only known constructions 
are probabilistic and computationally inefficient |HLSW04J. Furthermore, standard derandomization techniques 
are not known to work in this setting. For example, unitary designs |DCEL09] define an exponential number 
of bases. Moreover, using a <5-biased subset of the set of Pauli matrices IIAS041 IDD10 I fails to produce a locking 
scheme unless the subset has a size of close to 2" (see Appendix |D|. 

1.1 Our results 

In this paper, we study uncertainty relations in the light of a connection with low-distortion embeddings of (C d , £ 2 ) 
into (C d ,£i). The intuition behind this connection is very simple. Consider the measurements defined by a set of 
orthonormal bases {B 0l B\, ... , B t -\} of (C 2 )®™. The bases {B a ,Bi, . . . , B t -i} verify an uncertainty relation if for 
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every n-qubit state and "most" bases Bk, the vector representing \tp) in Bk is "spread". One way of quantifying 
the spread of a vector is by its l\ norm, i.e., the sum of the absolute values of its components. A vector \rp) e (C 2 )®" 
of unit £2 norm is well spread if its t\ norm is close to its maximal value of For technical reasons, it turns out 
that the relevant norm for us is not the l\ norm but rather a closely related norm called 

This connection suggests measuring the uncertainty of a distribution by taking a marginal and measuring 
its closeness to the uniform distribution. This is a stronger requirement than having large Shannon entropy 
and it leads to the definition of metric uncertainty relations (Definition |2.1) . Using standard techniques from 
asymptotic geometric analysis, we prove the existence of strong metric uncertainty relations (Theorem |2. 5} . This 
result can be seen as a strengthening of Dvoretzky's theorem I Dvo61[ |Mil711 for the ^1(^2) norm. In addition to 
giving a stronger statement with better parameters, our analysis of the uncertainty relations satisfied by random 
bases is considerably simpler than earlier proofs [HLSW04, DFHLlOj. In particular, for large n, we prove the 
existence of entropic uncertainty relations with average measurement entropy strictly increasing with the number 
of measurements (this answers an open question of the survey paper IIWW10I ). This result also leads to better 
results on the existence of locking schemes (Corollary |3.4| . 

Moreover, adapting an explicit low-distortion embedding of (R d , £2) to (R d , £\) with d! = due to Indyk 

|Ind07l/ we obtain explicit bases of (C 2 )®' 1 that verify strong metric uncertainty relations for a number of bases 
that is polynomial in n. Measuring in these bases can be performed by polynomial size quantum circuits. The 
main new ingredient that makes our "quantization" of Indyk's construction verify stronger uncertainty relations 
than do general mutually unbiased bases is the additional use of strong permutation extractors, which are a special 
kind of randomness extractor. A strong permutation extractor (Definition 2.14} is a small family of permutations 
of bit strings with the property that for any probability distribution on input bit strings with high min-entropy, 
applying a typical permutation from the family to the input induces an almost uniform probability distribution on 
a prefix of the output bits. Our construction of efficiently computable bases satisfying strong metric uncertainty 
relations involves an alternating application of approximately mutually unbiased bases and strong permutation 
extractors. Our approximately mutually unbiased bases consist of sets of single-qubit Hadamard gates. Moreover, 
both the permutations and their inverses have to be efficiently computable for our construction. We build such 
strong permutation extractors using the results of Guruswami, Umans and Vadhan |GUV09|. 

We use these uncertainty relations to build an explicit locking scheme whose encoding and decoding operations 
can be performed by circuits of size almost linear in the length of the message. Moreover, we also obtain a locking 
scheme where both the encoding and decoding operations consist of a classical computation with polynomial 
runtime and a quantum computation using only a small number of single-qubit Hadamard gates (Corollary |3.5) . 
Performing these quantum operations can be done using the same technology as implementing the BB84 quantum 
key distribution protocol [BB84J. On the way to obtaining this result, we prove a min-entropy uncertainty relation 
on a sparse set of BB84 states that might be of independent interest (Lemma 2.13 with Lemma 2.12} . This locking 
scheme can be used to obtain can be used to obtain string commitment protocols |BCH + 08| that are efficient in 
terms of computation and communication^] 

We also give an application of our uncertainty relations to a problem called quantum identification. Quantum 
identification is a communication task between two parties Alice and Bob, where Alice is given a pure quantum 
state \ip) and Bob wants to simulate measurements of the form — |y)(y>|} on \ijj) where \tp) is a pure 

quantum state. This task can be seen as a quantum analogue of the problem of equality testing [AD89, KN97| 
where Alice and Bob hold rt-bit strings x and y and Bob wants to determine whether x = y using a one-way 
classical channel from Alice to Bob. Hayden and Winter |HW10] showed that classical communication alone is 
useless for quantum identification. However, having access to a negligible amount of quantum communication 
makes classical communication useful. Their proof is non-explicit. Here, we describe an efficient encoding circuit 
that also uses less quantum communication: it allows the identification of an n-qubit state by communicating only 
a single message of 0(log 2 n) qubits and n classical bits. 



1.2 Other related work 

Aubrun, Szarek and Werner [ASWIOb, ASWlOaJ also used a connection between low-distortion embeddings and 
quantum information. They show in [ASWIObJ that the existence of large subspaces of highly entangled states 
follows from Dvoretzky's theorem for the Schatten p-norrr{^]for p > 2. This in turns shows the existence of channels 

It should be noted that this protocol has weak security garentees. As was shown in |BCH+ 08 [, string commitment protocols with a strong 
security definition do not exist. 

2 The Schatten p-norm of a matrix M is defined as the £ p norm of a vector of singular values of M. 
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Table 1: Comparison of different locking schemes, n is the number of bits of the message. The information leakage 
and the size of the key are measured in bits and the size of the ciphertext in qubits. Efficient locking schemes 
have encoding and decoding quantum circuits of size polynomial in n. The locking schemes of the first and next 
to last actually have encoding circuits that are implementable with current technology; they only use classical 
computations and simple single-qubit transformations. It should be noted that our locking definition is stronger 
than all the previous definitions. Note that the variable e can depend on n. For example, one can take e = n/n to 
make the information leakage arbitrarily small. The symbol O(-) refers to constants independent of e and n, but 
there is a dependence on 6 for the next to last row. 



that violate additivity of minimum output p-Renyi entropy as was previously demonstrated by [HW08J. Using a 
more delicate argument | ASWIOa |, they are also able to recover Hastings' | Has09 1 counterexample to the additivity 
conjecture. 

In a cryptographic setting, Damgard, Pedersen and Salvail |DPS04| used ideas related to locking to develop 
quantum ciphers that have the property that the key used for encryption can be recycled. In |DPS05|, they 
construct a quantum key recycling scheme (see also [OH05J) with near optimal parameters by encoding the 
message together with its authentication tag using a full set of mutually unbiased bases. 

Very recently, Gavinsky and Ito |GI10| introduced the concept of quantum hiding fingerprints and provided 
efficient constructions. A quantum fingerprint [BCWdWOlJ encodes an n-bit string x into a quantum state p x 
of n' <C n qubits such that given y <= {0, 1}™ and the fingerprint p x , it is possible to decide with small error 
probability whether x = y. The additional hiding property ensures that measuring p x leaks very little information 
about x. In Section 3.3 we show that one can efficiently construct quantum hiding fingerprints by locking classical 
fingerprints. This gives an alternate proof of the existence of mixed-state quantum hiding fingerprinting schemes 
IC.1 1(1- 



1.3 Notation 

We use the following notation throughout the paper. For a positive integer n, we define [n] = {0, . . . , n — 1}. 
Random variables are usually denoted by capital letters X, K, ... , while px denotes the distribution of X, 
i.e., P {X = x} = px(x). The notation X ~ p means that X has distribution p. unif(S') is the uniform 
distribution on the set S. To measure the distance between probability distributions on a finite set X, we use 
the total variation distance or trace distance A(p,q) = ^J2 xeX \p(x) — q(x)\. We will also write A(X,Y) for 
A(px,py)- When A(X, Y) < e, we say that X is e-close to Y. A useful characterization of the trace distance is 
A (p, q) — maxx~p,Y~q P {X = Y} (this equality is known as Doeblin's coupling lemma). Another useful measure 
of closeness between distributions is the fidelity F(p, q) = ^2 x€X \Jp(x)q(x). We have the following relation 
[FvdG99] between the fidelity and the trace distance 

1 - F(p, q) < A (p, g) < ^\-F(p,qf. (2) 

The Shannon entropy of a distribution p on X is defined as H(p) = — J2 x ex p( x ) ^°SP( X ) where the log is taken here 
and throughout the paper to be base two. We will also write H(X) for H(px). The mutual information between 
two random variables X and Y is defined by I (X; Y) = H(X)+H(Y) — H(X, Y). The min-entropy of a distribution 
p is defined as H min (p) = — \ogmax x p(x). We say that a random variable X is a fc-source if H min (X) > k. To refer 
to the i-th component of a vector v g R", we usually write Vi except when v already has a subscript, in which 
case we use v(i). The weight of a binary vector v (number of ones) is denoted by w(v) and the Hamming distance 
between two binary vector v, v' (number of components that are different) is written as dii(v, v'). 



4 



The quantum systems we consider are denoted A,B,C... and are identified with their Hilbert spaces. The 
dimension of a Hilbert space A is denoted by cLa- Every Hilbert space A comes with a preferred orthonormal 
basis {\a) } a€ u A ] that we call the computational basis. The elements of this basis are labeled by integers from to 
d,A — I- For a Hilbert space of the form C 2 ", this canonical basis will also be labeled by strings in {0, 1}". A ~ B 
means that the Hilbert spaces A and B are isomorphic. For a state | ip) G A, p^ is the distribution of the outcomes 
of the measurement of | ip) in the basis {| a)}. We have pi^,\ (a) — \(a\ip)\ 2 . Similarly for a mixed state p, we define 
p p {a) = tr[\a)(a\p\. The tensor product A® B is sometimes denoted simply AB. S(A) is the set of density operators 
acting on A. The Hilbert space on which a density operator p G S(A) acts is denoted by a superscript, as in p A . 

Partial traces are abbreviated by omitting superscripts so that p A = f tr# p AB . This notation is also used for pure 
states \ip) A G A. The density operator associated with a pure state is abbreviated by omitting the ket and bra 

tp = f \ip){tp\. The symbol I' 4 is reserved for the identity map on A. If U is a unitary acting on A, and \ip) a state in 
A ® B, we sometimes use U\ip) to denote the state (U ® t B )\ip). 

The trace distance between density operators acting on A is defined by A(p, a) = | tr \]{p— a) 2 . The von 
Neuman entropy of a quantum state p A is defined by H(p A ) = — tr plog p. It will also be denoted H(A) p . For a 
bipartite state p AB G S(AB), the quantum mutual information I(A; B) p = H(A) p + H(B) p - H(A, S) p . 

Throughout the paper, the symbol 0( ) refers to constants that are independent of n and e. The only possible 
dependence is with other variables that are clearly called constants (like S in Theorem |2. 15 for example). 



2 Uncertainty relations 



Outline of the section In this section, we start by introducing uncertainty relations and setting up some notation 
( Section |2.1 [ | . Then we define metric uncertainty relations in Section '. 



2.2 



strong metric uncertainty relations. Explicit constructions are given in Section 2.4 



In Section 2.3 we prove the existence of 



2.1 Background 

Consider a set of orthonormal bases S = {S , . . . , B t -i} of the Hilbert space C. Each basis Bk = (vq,. .. , t^ c -i) 
defines a measurement on C. The outcomes of these measurements are indexed by x G [dc\- The outcome 
distribution Pb„,\m when the measurement is performed on the state | tp) G C is defined byps k M) (x) — \ (v^\^}\ 2 for 
all x G [dc]- An uncertainty relation for a set of orthonormal bases B = {Bo, . . . , B t -i} expresses the property that 
for any state \tp) G C, there are some measurements in B whose outcomes given state \tp) have some uncertainty. A 
common way of quantifying this uncertainty is by using the Shannon entropy. The set of bases B is said to satisfy 
an entropic uncertainty relation if there exists a positive number h such that for all states G C, 

1 ^ 

For example, for a qubit space (dimC = 2), consider the two bases So = (|0),|1)) and B\ = 
^-L(|0) + |1)), ^g(|0) - It was shown in IIMU88I that these two bases satisfy the following entropic 

uncertainty relation: for all states \ip) G C, 

\ (H(pb ,m) + h (Pb 1 ,|v>)) > \ 

Note that this uncertainty relation cannot be improved: For any bases So, Si, one can always choose a state |V>o) 
that is aligned with one of thevectorsof So so that H(pb ^, )) = 0, in which case \ (H(p So ,\,p )) + H(pb 1 .\^ ))) < \- 

It is more convenient here to talk about uncertainty relations for a set of unitary transformations. Let {\x) } x 
be the computational basis of C. We associate to the unitary transformation U the basis {t^la;)}^. On a state \ip), 
the outcome distribution is described by 

Pum (x) = \(x\um 2 . 

As can be seen from this equation, we can equivalently talk about measuring the state U\ip) in the computational 
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basis. An entropic uncertainty relation for Uq, . ■ ■ , Ut-i can be written as 

1 t_1 

7Z)H(p %w )>/i. (3) 

k=0 

Entropic uncertainty relations have been used in proving the security of cryptographic protocols in the bounded 
and noisy quantum storage models 1 DF R + 07l IKWW091 . For more details on entropic uncertainty relations and 
their applications, see the recent survey [WW10J. 

2.2 Metric uncertainty relations 

Here, instead of using the entropy as a measure of uncertainty, we use closeness to the uniform distribution. In 
other words, we are interested in sets of unitary transformations Uq, . . . , Ut-i that for all £ C satisfy 

1 

fc=0 

for some e G (0, 1). This condition is very strong, in fact too strong for our purposes, and we will see that a weaker 
definition is sufficient to imply entropic uncertainty relations. Let C — A ® B. (For example, if C consists of n 
qubits, A might represent the first n — log n qubits and B the last log n qubits.) Moreover, let the computational 
basis for Cbe of the form {\a) A ® \b) B } a ,b where {\a)} and {\b)} are the computational bases of A and B. Instead of 
asking for the outcome of the measurement on the computational basis of the whole space to be uniform, we only 
require that the outcome of a measurement of the A system in its computational basis {|a)} be close to uniform. 
More precisely, we define for a e [(1a], 

Pu k m( a )= £ M A {b\ B u k m 2 . 

6=0 

We can then define a metric uncertainty relation. Naturally, the larger the A system, the stronger the uncertainty 
relation. 

Definition 2.1 (Metric uncertainty relation). Let A and B be Hilbert spaces. We say that a set {Uo, . . . , Ut-i} of unitary 
transformations on AB satisfies an e-metric uncertainty relation on A if for all states \ip) e AB, 

fE A (<W^N))<6 (4) 

fc=0 

Remark. Observe that (El also holds for mixed states: for any ip e S(A®B), \ Ylk~=a ^ \Pn , r ,t: un if(MA]) J < e- □ 

Metric uncertainty relations imply entropic uncertainty relations In the next proposition, we show that a metric 
uncertainty relation is also an entropic uncertainty relation. It is worth stressing that there are no restrictions on 
measurements . 

Proposition 2.2. Let e 6 (0, ^) and {Uq, . . . , U t -i} be a set ofunitaries on AB verifying an e-metric uncertainty relation 
on A: 

t-i 

-J2 A (p§ kW ^nif([d A ]))<e. 

fe=0 

Then 

1 t_1 

^E H ^I^>) ^ (l-2e)log^-7y(e). 

fc=0 

where 77(e) = — 2eln(2e). 
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Proof Recall that the distribution P^ k ^ (see equation Q for a definition) on [cIa] is a marginal of the distribution 
Pu k \i>)- Thus H(p Uk \^)) > H(p^ fc ,^>). Using Fannes' inequality [Fan73], we have for all k 

H« )W ) > \ogd A - 2A(p^ |l/ , > ,unif([rf A ])) \ogd A - fj(e) 
> (l-2e)logd A - 77(e). 

□ 



Explicit link to low-distortion embeddings Even though we do not explicitly use the link to low-distortion 
embeddings, we describe the connection as it might have other applications. In the definition of metric uncertainty 
relations, the distance between distributions was computed using the trace distance. The connection to low- 
distortion metric embeddings is clearer when we measure closeness of distributions using fidelity. We have 



d A -l 



F(p§ hW ,w&([d A ]j) = ^ E \&) 



where the norm if (£2) is defined by 
Definition 2.3 (l\ (£2) norm). For a state 



d A -i 



dn-l 



^nw)ii^ (0 



Ea. b aa, b \*) A \b) B , 



£ Ka| A (&| B W>| 5 



We use || • || 12 = J 



B-j when the systems A and B are clear from the context. 



Observe that this definition of norm depends on the choice of the computational basis. The ix(t§) norm will 
always be taken with respect to the computational bases. 

For {Uq, . . . , U t -i\ to satisfy an uncertainty relation, we want 



i£^iiw>ii* 



(«2 B ) 



> 1 - e. 



This expression can be rewritten by introducing a new register K that holds the index k. We get for all 



^U k \iP) c \k) K 



> (l-e)y/t-d A . 



(5) 



Using the Cauchy-Schwarz inequality, we have that for all \ip), 



^Y,um c \k) K 



< y/t-d A 



\/t- d A . 



Rewriting |5) and |6| as 



(l-e)< 



^ t E k U k \iP) c \k) K 



\/i ■ d A 



< 1, 



(6) 
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we see that the image of C by the linear map l^) H> ^ J2k Uk\ip) <£> \k) is an almost Euclidean subspace of 
(A (g) K ® B,£^ K (l 2 )). In other words, as the map \tp) H> ^ £41^) ® is an isometry (in the £ 2 sense), 
it is an embedding of (C, £ 2 ) into (AifS, with distortion 1/(1 - e) IMat02l . 

Observe that a general low-distortion embedding of (C, £2) into (AKB, t±(£§)) does not necessarily give a 
metric uncertainty relation as it need not be of the form \ip ) h » ^ J7fc|V>) ® When f = 2, a metric uncertainty 
relation is related to the notion of Kashin decomposition [Kas77J; see also |Pis89 , Sza06 1 . 



A remark on the composition of metric uncertainty relations There is a natural way of building an uncertainty 
relation for a Hilbert space from uncertainty relations on smaller Hilbert spaces. This composition property is also 
important for the cryptographic applications of metric uncertainty relations presented in the second half of the 
paper, in which setting it ensures the security of parallel composition of locking-based encryption. 

Proposition 2.4. Consider Hilbert spaces A\, A 2 , B\, B 2 . For i e {0, 1}, let {U^ }kiz[ti] be a set of unitary transformations 

ofAi®Bi verifying an e-metric uncertainty relation on Ai. Then, {ujp 1 ^U^}k lt k 2 e[ti]x[t 2 ] verifies a 2e-metric uncertainty 
relation on A\ ® A%. 

Proof Let \ip) e (Ai ®-Bi) ® (A2 and let pk 1 .k 2 denote the distribution obtained by measuring uj^ ® llj^J \ip) 
in the computational basis of A\ ® A2. Our objective is to show that 

1 

hi~2 



^2 A (pfc 1 ,fc 2 ,unif([d J 4 1 ] x [d A2 })) < 2e. 

fci6[ti],fc 2 6[t2] 



(7) 



We have 



A( Pkuk2 ,waif([d Al ] x \d A A)) = - ^ 



< 



Pfci,fc 2 ( a l J a 2) 

Pk u k 2 (ai,a 2 ) 



1 

d Al d A . 
Pfei,fc 2 ( a i) 



dA 2 

P*i,fc 2 ( a l) 2) 



Pfci,fe 2 ( a i) 



dA 2 



d Al d A2 



Pfci,fc 2 ( a i) 



1 

C?A 2 



Pkt,k 2 (ai) 



dyli 



(8) 



where ,fc 2 (ai) = J2a 2 Pki M (ai , a 2 ) is the outcome distribution of measuring the A\ system of U^' ® U [ k2 
The distribution p kl ,k 2 can a l so be seen as the outcome of measuring the mixed state 



in the computational basis {|ai)}. Thus, we have for any k 2 G [£2], 



Moreover, for a% € [d^], the distribution on [d^] defined by ^r^~^7p is f ne outcome distribution of measuring 
in the computational basis of A 2 the state 

7-r(2) 7/ ,A 2 B 2r/ (2)t 
U k 2 Yhx,ax U k 2 

where i^t 2 ^ 2 * s * ne density operator describing the state of the system A 2 B 2 given that the outcome of the 

(2) 

measurement of the A% system is a%. We can now use the fact that {U^ }. Taking the average over ki and k 2 
in equation we get 

— J2 A(p klM ,unif([d Al } x [d Aa ])) < 2e. 



k\,k 2 



□ 



This observation is in the same spirit as | IS10 1, and can in fact be used to build large almost Euclidean subspaces 

of£f(4 B ). 
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2.3 Metric uncertainty relations: existence 



In this section, we prove the existence of families of unitary transformations satisfying strong uncertainty relations. 
The proof proceeds by showing that choosing random unitaries according to the Haar measure defines a metric 
uncertainty relation with positive probability. The techniques used are quite standard and date back to Milman's 
proof of Dvoretzky's theorem [Mil71. FLM77J. In fact, using the connection to embeddings of £2 into l\{l<x) 
presented in the previous section, this existential theorem can be viewed as a strengthening of Dvoretzky's theorem 
for the l\{t-x) norm [MS86J. It should be noted that our proof is simpler and gives better parameters than earlier 
results on uncertainty relations verified by random unitaries |HLSW04|. Explicit constructions of uncertainty 
relations are presented in the next section. 

In order to use metric uncertainty relations to build quantum hiding fingerprints, we require an additional 
property for {U , . . . , U t -i}- A set of unitary transformations {Uo, . . . , ft— 1} of C d are said to 7-approximately 
mutually unbiased bases (7-MUBs) if for all elements |x) and \y) of the computational basis and all k 7^ kl , we 
have 

MUlU k ,\y)\ < J^. (9) 
1-MUBs correspond to the usual notion of mutually unbiased bases. 

Theorem 2.5 (Existence of metric uncertainty relations). Let c — 9n 2 and e <= (0, 1). Let A and B be Hilbert spaces 

withdimB > 9/e 2 and d d =dimA® B > ^f* . Then, for all t > 18cl " 2 (9/£) , there exists a set {U , U t -i} of unitary 
transformations of AB satisfying an (.-metric uncertainty relation on A: for all states \ip) e AB, 

1 *~ 1 

fc=0 

Moreover, for large enough d, the unitaries {Uo, . . . , U t -i} can be chosen to also form 0.9-MUBs. 



Remark. The proof proceeds by choosing a set of unitary transformations at random. See l[T2j and |[T3) for a precise 
bound on the probability that such a set does not form a metric uncertainty relation or a 0.9-MUB. □ 

Proof The basic idea is to evaluate the expected value of A (pfjy^ , unifQd^])^ for a fixed state when U is a random 
unitary chosen according to the Haar measure. Then, we use a concentration argument to show that with high 
probability, this distance is close to its expected value. After this step, we show that the additional averaging 

j 2fe=o A \Pu k \ip) 7 un if([^A])) of t independent copies results in additional concentration at a rate that depends on 
t. We conclude by showing the existence of a family of unitaries that makes this expression small for all states \ip) 
using a union bound over a <5-net. The four main ingredients of the proof are precisely stated here but only proved 
in Appendix [A| 

We start by computing the expected value of the fidelity E |F^py|^^,unif([(i J 4])^ j, which can be seen as an 
^1(^2) norm. 

Lemma 2.6 (Expected value of if (£2 ) over the sphere). Let \ f) AB be a Haar -distributed random pure state on AB. 
Then, 

f / \ 1 1 V(iM+l) y( d A d B \ I T~ 

!•:{/•(/' !■•''»'/> '/VO} 1 " ^ ' - 1 



Vd A r(4f ) r( dAd ? +1 ) ~ V d 



IB 



We then use the inequality A(p, a) < \ll — F(p, a) 2 to get 



E{A(^,unif([d A ]))} <E Jl-F(p^,unif([d A ]) 



2 
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By the concavity of the function x H> \J\ — x 2 on the interval [0, 1], 



< e/3. 

The last inequality comes from the hypothesis of the theorem that ds > 9/e 2 . In other words, for any fixed \ip), 
the average over U of the trace distance between p A ^ and the uniform distribution is at most e/3. The next step 
is to show that this trace distance is close to its expected value with high probability. For this, we use a version of 
Levy's lemma presented in |MS86|. 

Lemma 2.7 (Levy's lemma). Let f : C d — > K and r\ > be such that for all pure states \<pi), \ f2) in C d , 

|/(|Vi»-/(b 2 »|<»?||bi)-|^>l|a. 
Let \ip) be a random pure state in dimension d. Then for all < S < r\, 

P{|/(|^» - E {/(?)} \>5}< 4cxp 

where c is a constant. We can take c = 9n 2 . 

We apply this concentration result to / : \<p) AB n- A (pfy , unifQd^Jn . We start by finding an upper bound on 
the Lipshitz constant r\. For any pure states \ipi) AB and \(f2) AB 

|/(|^))-/(b 2 ))|<A«,^ 2 ) 

<^E l(a| A (6| B bi)| 2 -ElH A ( & | S |^)| 5 

a, b b 



<J2(1-F(p lvih p lv2) )) 



= 2-2 y £\{a\{b\\<p 1 )\-\{a\(b\\<p 2 )\ 

Y a,b 

= /E||(a|(6||^)|-|(a|(6||^)|| 2 

Y a,b 

<\\Wl)-\V2)h- (10) 

The first two inequalities follow from the triangle inequality. The third inequality is an application of |2}. The 
fourth inequality follows from the fact that 1 — x 2 < 2(1 — x) for all x E [0, 1]. The last inequality follows again 
from the triangle inequality. Thus, applying Lemma [2.7[ we get for all < 6 < 1, 

(Pd 
c 



{\A(pf v) ,um£([d A ])) -/x| >S}< 4exp 



where /i = E | A {p^ , unif([d J 4])^ |. The following lemma bounds the tails of the average of independent copies 
of a random variable. 

Lemma 2.8 (Concentration of the average). Let a,b > 1, S € (0, 1) and t a positive integer. Suppose X is a random 
variable with mean satisfying the tail bounds 

P {X > 5} < ae- bs2 and P {X < -6} < ae^ . 
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Let X\,...X t be independent copies of X. Then ifS 2 b > 16a 2 7r, 



< exp 



5 2 bt 



Taking S = e/3 and using Lemma 2.8 (which we can apply because we have (e/3) • - > 16 • 4 • it), we get 

i-l 



7H A (p^iw unif ([^ 



fe=0 



> e/3 } < exp - 



1 (e/zytd 

2 c 



Using this together with Lemma 2.6 we have 



^A(^ fc| ^,unif([d A ])) > 2e/3l < exp (- 



k=0 



18c 



(11) 



We would like to have the event described in (IT) hold for all \ip) € AS. For this, we construct a finite set A/" of 
states (a 5-net) for which we can ensure that | X)L=o A fp^],/,) > un if([cta])) < 2e/3 for all \ip) € A/" holds with high 
probability. 

Lemma 2.9 (5-net). Let 5 £ (0, 1). T/zere exists « set A/" of pure states in C d with \Af\ < (3/S) 2d such that for every pure 
state £ C d (i.e., \\\ip)\\2 = V, thereexists £ Af such that 

\M-Mh<s. 

Let Af be the e/3-net obtained by applying this lemma to the space AB with S = e/3. We have 



L\^) £AT: i^A(^ fc|V)) ,unif([d A ])) > 2e/3 I < \Af\ ■ exp 



18c 

<exp ^-d^-21n(9/e; 

Now for an arbitrary state \ip) £ AB, we know that there exists £ Af such that — |^}||2 < e/3. As a 
consequence, for any unitary transformation U, 



A A 

< A(p^ y umf([d A ])) + \\U$) - UW)h 
<A(p^^,unif([d A ]))+e/3. 
In the first inequality, we used the triangle inequality and the second inequality can be derived as in | (T0) . Thus, 

e 2 t 



p|a|V) £ AB : ^Y^A(p UkW ,umf{[d A ])) > e j < exp (-d 



18c 



21n(9/e) 



(12) 



If t > 18c ''" 2 (9/e) , this bound is strictly smaller than 1 and the result follows. 

To prove that we can suppose that {U , . . . , U t -i} define 0.9-MUBs, consider the function / : \<p) i-> (ip\ip) for 
some fixed vector \tp). Then, if \<p) is a random pure state, we have E { /(| <£>))} = 0. Moreover, using Levy's Lemma 
with 6 = d-° A5 

/ jO.I- 

P{\(ip\(p} \ >d~ 0A5 } <4exp 



Thus, 

I>hk^k',x,y£ [d],\(x\ulu k ,\y)\ > <r - 45 } < 4td 2 exp 
which completes the proof. 



c 



(13) 

□ 
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Corollary 2.10 (Existence of entropic uncertainty relations). Let C be a Hilbert space of dimension d > 2. There exists 
a constant d > 1 such that for any integer t > 2 such that * < d, f/zere exzsfs a sef {Z7 , • • • , U t -i} of unitary 
transformations of C satisfying the following entropic uncertainty relation: For any state 



c ' lo gMi ( 18 * \ ( /c'logf 



fc=0 \ / \ 6 / \ ' 

zw/zere 77(e) = — 2eln(2e)/or all e > 0. In particular, in the limit d — > 00, we obtain the existence of a sequence of sets oft 
bases satisfying 

Um jSfe=oH(p^ w ) > x _ / c'log^ 

d->-oo logd ~~ V t 

Remark. Recall that the bases (or measurements) that constitute the uncertainty relation are defined as the images 
of the computational basis by Uj.. Note that for any set of unitaries {t/ , . . . , U t -i}, we have 



k=0 

It is an open question whether there exists uncertainty relations matching this bound, even asymptotically as 
d — >• 00 I WW10 1 . Wehner and Winter | WW10 1 ask whether there even exists a growing function / such that 

d^oo i logd - V /(*) / 



The corollary answers this question in the affirmative with f(t) = y -, log t . □ 
Proof Define d = 18c where c comes from Levy's Lemma jzyj e = \J d '° s * and decompose C = A ® _B with 



d B = [9/e 2 ] . As d > 5^-i6- and 



18clog(l/e) 10 , / / i \ t 



we get a family f/ , ■ ■ ■ , U t -i of unitary transformations that satisfies 

t-i 

t 



*E A (<i^ unif (^))^- 

fc=0 

By Proposition |Z2j these unitary transformations also satisfy an entropic uncertainty relation: 

jEH«„ ) )>(l- £ )log( r ^ T ) 



-*?(e) 

>(l-e) log d-log(18/e 2 ) -77(e). 

□ 



fe=0 

2 



2.4 Metric uncertainty relations: explicit construction 

In this section, we are interested in obtaining families {Uq,..., Ut-i} of unitaries verifying metric uncertainty 
relations where Uq, . . . , Ut-i are explicit and efficiently computable using a quantum computer. For this section, 
we consider for simplicity a Hilbert space composed of qubits, i.e., of dimension d = 2" for some integer n. This 
Hilbert space is of the form A ® B where A describes the states of the first log d^ qubits and B the last log ds qubits. 
Note that we assume that both d^ and d# are powers of two. 

We construct a set of unitaries by adapting an explicit low-distortion embedding of (M. d , £2) into (R rf , t\) with 
d! = d 1+o( - 1 - > by Indyk llnd07l . Indyk's construction has two main ingredients: a set of mutually unbiased bases 
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and an extractor. Our construction uses the same paradigm while requiring additional properties on both the 
mutually unbiased bases and the extractor. 

In order to obtain a locking scheme that only needs simple quantum operations, we construct sets of 
approximately mutually unbiased bases from a restricted set of unitaries that can be implemented with single-qubit 
Hadamard gates. Moreover, we impose three additional properties on the extractor: we need our extractor to be 
strong, to define a permutation and to be efficiently invertible. We want the extractor to be strong because we are 
constructing metric uncertainty relations as opposed to a norm embedding. The property of being a permutation 
extractor is needed to ensure that the induced transformation on (C 2 )®" preserves the t% norm. We also require the 
efficient invertibility condition to be able to build an efficient quantum circuit for the permutation. See Definition 



2.14 for a precise formulation. 

The intuition behind Indyk's idea is as follows. Let Vq, . . . , V r -i be unitaries defining (approximately) mutually 
unbiased bases and let {P y } y€ s be a permutation extractor (these terms are defined later in equation (14) and 
Definition 2.14} . The role of the mutually unbiased bases is to guarantee that for all states and for most values 



of j £ [r], most of the mass of the state Vj \ip) is "well spread" in the computational basis. This spread is measured 
in terms of the min-entropy of the distribution Pv-\ij>) ■ Then, the extractor {P y } y will ensure that on average over 

4 



y £ S, the masses J2 b \{a\{b\P y Vj\tp)\ 2 are almost equal for all a £ [d^]. More precisely, the distribution pp v ,,, is 



close to uniform. 

We start by recalling the definition of mutually unbiased bases. A set of unitary transformations Vb, • • • , V r -i 
is said to define ^-approximately mutually unbiased bases (or 7-MUBs) if for i ^ j and any elements |a;) and \y) of the 
computational basis, we have 

\<P\vMv)\ = -£ji- (14) 

As shown in the following lemma, there is a construction of mutually unbiased bases that can be efficiently 
implemented |WF89|. The proof of the lemma is deferred to Appendix [B] 

Lemma 2.11 (Quantum circuits for MUBs). Let nbea positive integer and d — 2™. For any integer r < d + 1, there exists 
a family Vb, ■ • • , V r -i of unitary transformations ofC d that define mutually unbiased bases. Moreover, there is a randomized 
classical algorithm with runtime 0(n 2 polylogn) that takes as input j e [r] and outputs a binary vector ctj € {0, l} 2 ™ -1 , 
and a quantum circuit of size 0(n polylogn) and depth O(logn) that when given as input the vector ctj (classical input) 
and a quantum state \ip) £ C d outputs Vj\ip). 

Remark. The randomization in the algorithm is used to find an irreducible polynomial of degree n over F2 [X] . 
It could be replaced by a deterministic algorithm that runs in time 0(n 4 polylogn). Observe that if n is odd and 
r < (d + l)/2, it is possible to choose the unitary transformations to be real (see |HSP06|). □ 

It is also possible to obtain approximately mutually unbiased bases that use smaller circuits. In fact, the 
following lemma shows that we can construct large sets of approximately mutually unbiased bases defined by 
unitaries in the restricted set 

U = {H v = H Vl ® • ■ ■ ® H v -,v £ {0, 1}"}, 



where H is the Hadamard transform on C 2 defined by 

1 



H = 



M 1 -1 



In our construction of metric uncertainty relations (Theorem 2.16 1, we could use the 1-MUBs of Lemma 2.11 or the 



(1/2 — <5)-MUBs of Lemma 2.12 As the construction of approximate MUBs is simpler and can be implemented 



with simpler circuits, we use Lemma 2.12 when the choice of 7-MUBs is not specified. 



Lemma 2.12 (Approximate MUBs in ~K). Let n' be a positive integer and n = 2™ . 

2. For any integer r < n, there exists a family Vq, . . . , V r -\ £ H that define 1/2-MUBs. 

2. For any S £ (0, 1/2), there exists a constant c > independent of n such that for any r < 2 cn there exists a family 
Vb, . . . , V r -i of unitary transformations in % that define (1/2 — S)-MUBs. 

Moreover, in both cases, given an index j £ [r], there is a polynomial time (classical) algorithm that computes the vector 
v £ {0, 1}" that defines the unitary Vj = H". 
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Thus, 



Proof Observe that for any v € {0, 1}™ and any y € {0, 1}™, we have 

ff t, (|yi)®---®l2/ n )) = J ff ,,1 l2/i)®---®^"|yn>= E ^S)Wx---y'n)- 

y«e{0,l} fort/i=l 

y' i =y i for 1^—0 

= < ^^ W2 . (15) 

Using this observation, we see that a binary code C C {0, 1}" with minimum distance 771 defines a set of 7- 
MUBs in W. It is now sufficient to find binary codes with minimum distance as large as possible. For the first 
construction, we use the Hadamard code that has minimum distance n/2. The Hadamard codewords are indexed 
by x £ {0, 1}" ; the codeword corresponding to x is the vector v £ {0, 1}" whose coordinates are v z — x ■ z for all 
z e {0, 1}™ . This code has the largest possible minimum distance for a non-trivial binary code but its shortcoming 
is that the number of codewords is only n. For our applications, it is sometimes desirable to have r larger than n 
(this is useful to allow the error parameter e of our metric uncertainty relation to be smaller than rC 1 ! 2 ). 

For the second construction, we use families of linear codes with minimum distance 1/2—6 with a number 
of codewords that is exponential in n. For this, we can use Reed-Solomon codes concatenated with linear codes 
on {0, l} e (™ ) that match the performance of random linear codes; see for example Appendix E in [G0IO8J. For 
a simpler construction, note that we can also get 2 n ' v ^ codewords by using a Reed-Solomon code concatenated 
with a Hadamard code. □ 

The next lemma shows that for any state | %)}) , for most values of j, the distribution py j \^)is close to a distribution 
with large min-entropy provided {V}} define 7-MUBs. This result might be of independent interest. In fact, the 
authors of HDFR + 07| prove a lower bound close to n/2 on the min-entropy of a measurement in the computational 
basis of the state U\ip) where U is chosen uniformly from the full set of the 2™ unitaries of H. They leave as an open 
question the existence of small subsets of % that satisfy the same uncertainty relation. When used with the 7-MUBs 



of Lemma 2.12 the following lemma partially answers this question by exhibiting such sets of size polynomial in 
n but with a min-entropy lower bound close to n/4 instead. This can be used to reduce the amount of randomness 
needed for many protocols in the bounded and noisy quantum storage models. 

Lemma 2.13. Let n> 1, d = 2 n and e £ (0,1) and consider a set of r = [-!•] unitary transformations Vo, . . . , V r -\ ofC d 
defining T MUBs. For all \tP) £C d , 

jj £ [r] : 3 distribution q h A (p VjW ,qj) < e and H min (tfc) > ^ - lo g( 8 A 2 )} > i 1 - f ) r - 

Proof This proof procedes along the lines of [Ind07, Lemma 4.2]. Similar results can also be found in the sparse 
approximation literature; see IITro041 Proposition 4.3] and references therein. 

Consider the rd x d matrix V obtained by concatenating the rows of the matrices Vo, ■ ■ ■ , V r -\- For S C [rd], 
Vs denotes the submatrix of V obtained by selecting the rows in S. The coordinates of the vector V\i/j) £ C rd are 
indexed by z £ [rd] and denoted by (V\ip)) z . 

Claim. We have for any set S C [rd] of size at most d 1 ! 2 and any unit vector \ip), 

\\(vms\\i<i+^. (i6) 

To prove the claim, we want an upper bound on the operator 2-norm of the matrix (Vs), which is the square 
root of the largest eigenvalue of G = VgVs. As two distinct rows of V have an inner product bounded by ^772, the 
non-diagonal entries of G are bounded by ^772 • Moreover, the diagonal entries of G are all 1. By the Gershgorin 
circle theorem, all the eigenvalues of G lie in the disc centered at 1 of radius ■ We conclude that fl6) holds. 

Now pick S to be the set of indices of the d 1 largest entries of the vector {|(V^|^ , ))z| 2 }^e[r ( i]- Using the previous 
claim, we have IK^IV^sIl! < 2. Moreover, since S contains the d?/ 2 largest entries of {|(^|V ; ))z| 2 }z/ we have that 
for all z i S, |(V|V))z| 2 ^ /2 < \\V]i>)g = ££j W^Wl = r. Thus, for all z £ S, |(V|^),| 2 < 

We now build the distributions qj. For every j £ [r], define 

zeSn{jr,...,(j+V)r-l} 
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which is the total weight in S of V 3 \$) . Defining T e = {j : Wj > e}, we have |T e |e < || (V|^))s||| < 2. Thus, 

\T e \<2/e<er. 

We define the distribution qj for j e [r] by 

„M-J IWW + f ifirf + ^^S 

a ifjd + xeS. 

Since 

x x£.[d]:jd+x£S x£[d] 

qj is a probability distribution. Moreover, we have that for j £ T e 

1 / \ - 10, \ - /II), 

E 1 

x:jd-\-x£S 




The distribution ^ also has the nice property that for all x e [rf], qj{x) < + g < ^72- In other words, 

H min fe)> ^-log(8/e 2 ). ' □ 

We now move to the second building block in Indyk's construction: randomness extractors. Randomness 
extractors are functions that extract uniform random bits from weak sources of randomness. 

Definition 2.14 (Strong permutation extractor). Let n and m < nbe positive integers, £ e [0, n] and e G (0, 1). A family 
of permutations {P y } y es °f{0, 1}™ where each permutation P y is described by two functions Py : {0, 1}" — > {0, 1}™ (the 
first m bits of P y ) and Py : {0, 1}™ — > {0, l}™^" 1 (the last n — m bits of P y ) is said to be an explicit (n, I) — > e m strong 
permutation extractor if: 

• For any random variable X on {0, 1}™ such that H min (X) > I, and an independent seed Us uniformly distributed 
over S, we have 



A ( v > s ^ s (x))'-^x{ ' i nJ^ e ' 

which is equivalent to 

i^AL B(x) ,«X{0,l} m )) < e. (17) 
1*1 yes V ' 

• For all y 6 S, both the function P y and its inverse Py 1 are computable in time polynomial in n. 

Remark. A similar definition of permutation extractors was used in |RVW00| in order to avoid some entropy loss 
in an extractor construction. Here, the reason we use permutation extractors is different; it is because we want the 
induced transformation P y on C 2 " to preserve the £2 norm. □ 

We can adapt an extractor construction of |GUV09| to obtain a permutation extractor with the following 
parameters. The details of the construction are presented in Appendix |C| 

Theorem 2.15 (Explicit strong permutation extractors). For all (constant) S € (0, 1), all positive integers n, all 
k e [clog(ra/e), n] (c is a constant independent of n and e), and all e e (0, 1/2), there is an explicit (n, k) — > e (1 — 8)k strong 
permutation extractor {P y } y<£ s with log |5| < 0(log(n/e)). Moreover, the functions (x,y) H> P y (x) and (x,y) i-> P y ' 1 (x) 
can be computed by circuits of size 0(n polylog(n/e)). 

A permutation P on {0, 1}™ defines a unitary transformation on (C 2 )®" that we also call P. The permutation 
extractor {P y } will be seen as a family of unitary transformations over n qubits. Moreover, just as we decomposed 
the space {0, 1}™ into the first m bits and the last n — m bits, we decompose the space (C 2 )®" into A ® B, where A 



represents the first rn qubits and B represents the last n — m qubits. The properties of {Py } will then be reflected 
in the system A. 



Combining Theorem 2.15 and Lemma 2.11 we obtain a set of unitaries satisfying a metric uncertainty relation. 
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Theorem 2.16 (Explicit uncertainty relations: key optimized). Let S > be a constant, n be a positive integer, 
e e (2~ c ' n , 1) (d is a constant independent of n). Then, there exist t < (™) c (for some constant c independent of n 
and e) unitary transformations Uq, ■ ■ ■ , Ut-i acting on n qubits such that: if A represents the first (1 — <5)n/4 — 0(log(l/e)) 
qubits and B represents the remaining qubits, then for all e AB, 



unif([dj 



fc=0 



< e. 



Moreover, the mapping that takes the index k e [t] and a state \ip) as inputs and outputs the state Uk\ip) can be performed 
by a classical computation with polynomial runtime and a quantum circuit that consists of single-qubit Hadamard gates on a 
subset of the qubits followed by a permutation in the computational basis. This permutation can be computed by (classical or 
quantum) circuits of size 0(n polylog(n/e)). 

Remark. Observe that in terms of the dimension d of the Hilbert space, the number of unitaries t is polylogarithmic. 

□ 

Proof Let e' = e/6. Lemma 



2.11 



gives r = |~2/e' 2 ] < 2™ unitary transformations Vq, . . . , V r -\ that define mutually 
unbiased bases. Moreover, all theses unitaries can be computed by circuits of size 0(n polylogn). Theorem 2.15 
with£ = n/2-log(8/e' 2 ) and error e' gives \S\ < 2 cl °s("/ c ') permutations {P y } y€ s of {0, 1}™ that are computable by 
classical circuits of size 0(n polylog(n/e)). We now argue that this classical circuit can be used to build a quantum 
circuit of size O(npolylogn) that computes the unitaries P y . 

Given classical circuits that compute P and P^ 1 , we can construct reversible circuits Cp and Cp-i for P and 
P^ 1 . The circuit Cp when given input (x, 0) outputs the state (x, P{x)), so that it keeps the input x. Such a circuit 
can readily be transformed into a quantum circuit that acts on the computational basis states as the classical circuit. 
We also call these circuits Cp and Cp-i. Observe that we want to compute the unitary P, so we have to erase the 
input x. For this, we can then combine the circuits Cp and Cp-i as described in Figurejl] Note that the size of this 
quantum circuit is the same as the size of the original classical circuit up to some multiplicative constant. Thus, 
this quantum circuit has size 0(n poly log n). 



\x) 
|0) 





c P 


\x) \P{x)) 


(Cp-.y 1 






\p{*y)^\ \x) 






10) 











\P(x)) 



Figure 1: Quantum circuit to compute the permutation P using quantum circuits Cp for P and Cp-i for P 
(Cp-i ) _1 is simply the circuit Cp-i taken backwards. The bottom register is an ancilla register. 



The unitaries {Uq, . . . , U t -i} are obtained by taking all the possible products P y Vj for j e [r],j/€ S. Note that 
t — r\S\. We now show that the set {Uq, . . . , C/t-i} verifies the uncertainty relation property. Using Lemma 2.13 
for any state \ip), the set 



_ def 

1 W = 



3 distribution qj, A(p Vj \^) ,qj) < e' and Va; € [d\,qj(x) < 



2r 



has size at least (1 - e')r. Moreover, for all a e [d A ] r Pp Vi \^)( a ) = Eh l( a l A ( fo | b ^^IV^)| 2 = P{Py(X) = a} where 
X has distribution PvM) ■ By definition, for i e T^, we have A(py.\^),qi) < e' with H min (qi) > n/2 — log(8/e' 2 ). 
Using the fact that {Py } is a strong extractor (see < (17) ) for min-entropy n/2 — log(8/e' 2 ), it follows that 



i^E A (<^i V ^ unif ([^])) < 2e ' 

1 1 yes 
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for all i e T\ty . As |Tj^ | > (1 - e')r, we obtain 



1 * _1 

- X) A (< w> ifflif([d A ])) < 3^ = 6/2. 



fe=0 



To conclude, we show that t can be taken to be a power of two at the cost of multiplying the error by at most two. 
In fact, let p be the smallest integer verifying t < 2 P , so that 2 P < 2t. By repeating TP — t unitaries, it is easily 
seen that we obtain an e-metric uncertainty relation with 2p unitaries from an e/ 2-metric uncertainty relation with 
t unitaries. □ 

Note that the B system we obtain is quite large and to get strong uncertainty relations, we want the system B 
to be as small as possible. For this it is possible to repeat the construction of the previous theorem on the B system. 
The next theorem gives a construction where the A system is composed of n — O(loglogn) — 0(log(l/e)) qubits. 
Of course, this is at the expense of increasing the number of unitaries in the uncertainty relation. 

Theorem 2.17 (Explicit uncertainty relation: message length optimized). Let nbea positive integer and e € (2 _c 1) 
(c' is a constant independent of n). Then, there exist t < (2i) clog " (j or some constant c independent of n and e) unitary 
transformations Uq, . . . , Ut-i acting on n qubits that are all computable by quantum circuits of size 0(n polylog(n/e)) such 
that: if A represents the first n — O(loglogn) — 0(log(l/e)) qubits and B represents the remaining qubits, then for all 

W)&AB, 

t-i 

tY, A {Pu k W uni f(ldA]))<e. (18) 



fe=0 



Moreover, the mapping that takes the index k e [t] and a state \ip) as inputs and outputs the state Uk\ip) can be performed 
by a classical precomputation with polynomial runtime and a quantum circuit of size 0(ropolylog(ro/e)). The number of 
unitaries t can be taken to be a power of two. 



Proof Using the construction of Theorem 2.16 we obtain a system A over which we have some uncertainty 
relation and a system B that we do not control. In order to decrease the dimension of the system B, we can apply 
the same construction to that system. The system B then gets decomposed into A2B2, and we know that the 
distribution of the measurement outcomes of system A2 in the computational basis is close to uniform. As a result, 
we obtain an uncertainty relation on the system AA2 (see Figure [21. 




B\ — A2B2 



A x 




Figure 2: Composition of the construction of Theorem 2.16 In order to reduce the dimension of the B system, we 
can re-apply the uncertainty relation to the B system. 



More precisely, we start by demonstrating a simple property about the composition of metric uncertainty 
relations. Note that this composition is different from the one described in {7|, but the proof is quite similar. 

Claim. Suppose the set {Uq 1 ^, . . . , U^ x } of unitaries on A\B\ satisfies a (t±, ei)-metric uncertainty relation on 

(2) (2) 

system Ai and the {Uq 1} °^ un itaries on B\ = A 2 B 2 satisfies a (i 2 , e2) _m etric uncertainty relation on 

A2. Then the set of unitaries I (t Al ® U^) ■ U^ 1 \ satisfies a (tit2, ei + £2)-metric uncertainty relation 

on AiA 2 : for all \tp) e AiA 2 B 2 , 

rf 2 E A {Puiygwy^ildAjAz})) < e x + e 2 . 
fei,fe 2 e[ti]x[t 2 ] v 7 
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For a fixed value of k\ e [t{\ and a\ £ [dA x ], we can apply the second uncertainty relation to the state 

\\lZ\^ulllt)\\ 2 = I ZT ((*i\(bi\U ki m) \h) eB 1 = A 2 B 2 . As {{b^ = {|a 2 )|& 2 )} a2 , b2 , we have 

y p u kl w (ai *> 



*2 



fc 2 «2 ^(7fc 1 |V>) v "' i; 62 

We can then calculate, in the same vein as dHl 



dA 2 



< e 2 . 



E EK ^ 1 ^^^! 52 ^ 1 ®^)^^)! 2 -^ 



fei ,fe 2 Ol ,12 62 



d>A 1 dA 2 



< 



^EE 



fcl,/C2 Q l 



(1a 2 



k\ a±,a 2 



d A2 



dA ± dA 2 



< e 2 + ei. 

This completes the proof of the claim. 

To obtain the claimed dimensions, we compose the construction of Theorem 2.16 h times with an error 
parameter e' = e/h and S = 1/8. Starting with a space of n qubits, the dimension of the B system (after one 
step) can be bounded by 

^n-0(log(l/e'))<logd B < ? -n 



So after h steps, we have 



Thus, 



(7/8) h n - 0(log(l/e')) • 8(1 - (7/8) h ) < log d Bh < (7/8) h n. 
(7/8) h n-0(log(l/e')) < log d Bh < (7/8) h n. 



Note that h cannot be arbitrarily large: in order to apply the construction of Theorem 2.16 on a system of m qubits 
with error e', we should have e' > 2~ crn . In other words, if 



1 



(19) 



\ogd Bh > -log(/i/e), 

then we can apply the construction h times. Let c" be a constant to be chosen later and h = 
iog(8/7) (l°S n — log(cloglogn + clog(l/e))) . This choice of h satisfies < 19 1. In fact, 

logG?s h > cloglogn + clog(l/e) - 0(\og(h/e)) 

> i log(tye) 
c 

if c is chosen large enough. Moreover, we get 

logd Bh = 2- log " ■ 2 lo s°( lo g lo g"+ lo s( 1 A)) >n = O(loglogn + log(l/e)) 
as stated in the theorem. 

Each unitary of the obtained uncertainty relation is a product of h unitaries. The overall number of unitaries is 



product of the number of unitaries for each of the h steps. As a result, we have t < (— 



c log n 



for some constant c. t 



can be taken to be a power of two as the number of unitaries at each step can be taken to be power of two. 

As for the running time, each unitary of the uncertainty relation is a product of 0(log n) unitaries from Theorem 



2.16 Hence, each unitary can be computed by a quantum circuit of size 0(n polylog n). 



□ 
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It is of course possible to obtain a trade-off between the key size and the dimension of the B system by choosing 
the number of times the construction of Theorem 2.16 is applied. In the next corollary we show how to obtain an 
explicit en tropic uncertainty relation whose average entropy is (1 — e)n. 

Corollary 2.18 (Explicit entropic uncertainty relations). Let n > 100 be an integer, and e e (10n -1 / 2 , l/(2e)). Then, 
there exists t < (riy 10 ^ 1 /^ (f or some constant c independent ofn and e) unitary transformations £/ , ■ ■ ■ , U t -i acting on n 
qubits that are all computable by quantum circuits of size 0(n polylogn) verifying an entropic uncertainty relation: for all 
pure states \tp) £ (C 2 )®", 



1 4-1 

tE H ^I*)) ^ (1 - 3e)n - »7(e) 



(20) 



fc=0 



where 77(e) = — 2e ln(2e). Moreover, the mapping that takes the index k e [t] and a state as inputs and outputs the state 
Uk\ip) can be performed by a classical randomized precomputation with expected runtime 0(n 2 polylogn) and a quantum 
circuit of size 0(n polylog n). The number ofunitaries t can be taken to be a power of two. 



Proof The proof is basically the same as the proof of Theorem 2.17 except that we repeat the construction 

h = [log(l/e)/log(8/7)l times. We thus have 



logd Bh < (7/8) n < en. 



We obtain a set of t < (f ) 



clog(l/e) 



unitary transformations. Applying Proposition 2.2 we get 

1 t_1 

-J2^(Pu kW ) > (l-2e)(l-e)n-»7(e) 

i=0 

> (1 - 3e)n - r)(e). 



□ 



3 Locking classical information in quantum states 



Outline of the section We apply the results on metric uncertainty relations of the previous section to obtain 
locking schemes. After an introductory section on locking classical correlations (Section 3.1 \, we show how to 
obtain a locking scheme using a metric uncertainty relation in Section 3.2 Using the constructions of the previous 

we observe that these 



section, this leads to locking schemes presented in Corollary 3.4 



3.4 In Section 3.4 



locking schemes can be used to construct efficient string commitment protocols. Section 3.5 discusses the link to 
locking entanglement of formation. 



3.1 Background 

Locking of classical correlations was first described in HDHL + 04| as a violation of the incremental proportionality 
of the maximal classical mutual information that can be obtained by local measurement on a bipartite state. More 
precisely for a bipartite state ui AB , the maximum classical mutual information I c is defined by 

I C (A;B) U = max 1(1 A ; I B ), 

{Mf},{Mf} 

where {-M,- } and {Mf} are measurements on A and B, and IajIb ar e the (random) outcomes of these 
measurements on the state lo ab . Incremental proportionality is the intuitive property that I bits of communication 
between two parties can increase their mutual information by at most i bits. The authors of [DHL+04] considered 
the states 

1 d-l 

" XKC = uY,Y, ® \w k \ K ® i u ^Mul) c (21) 

fc=0 x=0 
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for k 6 {0, 1} where Uq = 1 and U\ is the Hadamard transform. It was shown in ||DHL + 04I that the classical 
mutual information I C (XK; C) u = \ log d. However, if the holder of the C system also knows the value of k, then 
we can represent the global state by the following density operator 

1 1 d-l 

UjXKCK ' = 2d E E m * ® ® V*\ x * x \ U l) C ® M*!*'. 

fc=0a;=0 

It is easy to see that I C (XK; CK') U = 1 + log d. This means that with only one bit of communication (represented 
by the register K'), the classical mutual information between systems XK and C jumped from ~ log d to 1 + log d. 
In other words, it is possible to unlock | log e? bits of information (about X) from the quantum system C using a 
single bit. 

The authors of |HLSW04] proved an even stronger locking result. They generalize the state in equation < |2"T) to 

1 d-l t-1 

w ™ = Y d E E l*X*l x ® IfcX^r ® ( WWl) c ® IfcXfci^' (22) 

x=0 fc=0 

where ?7fc are chosen independently at random according to the Haar measure. They show that for any e > 0, by 
taking t = (log d) 3 and if d is large enough, 

I C (X;C) U < elogd and I c (Xif; OK"')* = logrf + log t 

with high probability. Note that the size of the key measured in bits is only log< = O (log log d) and it should 
be compared to the (1 — e) logd bits of unlocked (classical) information. It should be noted that their argument 
is probabilistic, and it does not say how to construct the unitary transformations [//.. It is worth stressing that 
standard derandomization techniques are not known to work in this setting. For example, unitary i-designs use 
far too many bits of randomness |DCEL09]. Moreover, using a 5-biased subset of the set of Pauli matrices fails to 
produce a locking scheme unless the subset has a size of the order of the dimension d [AS04. DDlOj (see Appendix 

Here, we view locking as a cryptographic task in which a message is encoded into a quantum state using 
a key whose size is much smaller than the message. Having access to the key, one can decode the message. 
However, an eavesdropper who does not have access to the key and has complete uncertainty about the message 
can extract almost no classical information about the message. We should stress here that this is not a composable 
cryptographic task, namely because an eavesdropper could choose to store quantum information about the 
message instead of measuring. In fact, as shown in [KRBM07], using the communicated message X as a key for 
a one-time pad encryption might not be secure; see also [DFHL10J. It is however strictly stronger that the notion 
of entropic security |RW02) IDS051 IDD10I (see Appendix [D] for an example of an entropically secure encryption 
scheme that is not e-locking). 

Definition 3.1 (e-locking scheme). Let nbea positive integer, I g [0, n] and e e [0, 1]. An encoding E : [2 n ] x [t] — > S(C) 
is said to be (£, e)-locking/or the quantum system C if: 

• For all x' € [2 n ] and all k e [t], A(£(x, k), £(x', k)) = 1. 

• Let X (the message) be a random variable on [2 n ] with min-entropy H m ; n (X) > £, and K (the key) be an independent 
uniform random variable on [t]. For any measurement {Mi} on C and any outcome i, 

&(px\[i=i],Px) < £■ (23) 
where I is the outcome of measurement {Mi} on the (random) quantum state £(X, K). 

When the min-entropy bound I is not specified, it should be understood that I = n meaning that X is uniformly 
distributed on [2™]. The state £(X, K) is sometimes referred to as the ciphertext. 

Remark. The relevant parameters of a locking scheme are: the number of bits n of the (classical) message, the 
dimension d of the (quantum) ciphertext, the number t of possible values of the key and the error e. Strictly 
speaking, a classical one-time pad encryption, for which t = 2™, is (0, 0)-locking according to this definition. 
However, here we seek locking schemes for which t is much smaller than 2™, say t polynomial in n. This cannot 
be achieved using a classical encryption scheme. 
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Observe that one can simply guess the key and appl y the co rresponding decoding. This observation shows 
that the error of an e-locking scheme satisfies e > \ — ^ ||DHL + 04| . □ 

Note that we used the statistical distance between px\[i={\ and px instead of the mutual information between 
X and / to measure the information gained about X from a measurement. Using the trace distance is a stronger 
requirement as demonstrated by the following proposition. 

Proposition 3.2. Let e G [0, and £ : [2™] x [t] —> 5(C) be an e-locking scheme. Define the state 

1 t-l 2"-l 

u xkck ' = i. j2 J2 i^r ® \k)(k\ K ® f (s, fc) c ® ifcxfci^'. 

fc=0 a=0 

T/ien, 

I C (X;C) W < 2en + 77(e) and I C (XK; CK% = n + log* 
roftere r/(e) = — 2eln(2e) zuzY/z ry(0) = 0. 

Proof First, we can suppose that the measurement performed on the system X is in the basis (\x) x ) x ^- In fact, 
the outcome distribution of any measurement on the X system can be simulated classically using the values of the 
random variables X. 

Now let I be the outcome of a measurement performed on the C system. Using Fannes' inequality, we have 
for any i 

HpO - H(X\I = %)< 2A( Px ,p m=i] ) - V (A(p x ,p xl[I=i] )) 
< 2en + 77(e) 

using the face that £ defines an e-locking scheme. Thus, 

I(X; I) = H(X) - P U = *} H(X|/ = i) 

i 

< 2en + 77(e). 

As this holds for any measurement, we get I C (X; C) w < 2en + 77(e). □ 
The trace distance was also used in ] DuplO IDFHL10 I to define a locking scheme. To measure the leakage of 



information about X caused by a measurement, they used the probably more natural trace distance between the 
joint distribution of P(x,i) an d the product distribution px x pi. Note that our definition is stronger, in that for all 
outcomes of the measurement i, A(px|[i=i]>Px) < e whereas the definition of [DFHLlOj says that this only holds 
on average over i. To the best of our knowledge, even the existence of such a strong locking scheme with small 
key was unknown. 

For a survey on locking classical correlations, see [Leu09|. 
3.2 Locking using a metric uncertainty relation 

The following theorem shows that a locking scheme can easily be constructed using a metric uncertainty relation. 

Theorem 3.3. Let e e (0, 1) and {U , . . . , Ut-i} be a set of unitary transformations of A® B that satisfies an (.-metric 
uncertainty relation on A, i.e., for all states \ip) € AB, 

t-i 



];E A (<iv>>' M ™»D) < 



fc=0 

Assume dA = 2™. Then, the mapping E : [2™] x [t] — > S(AB) defined by 

d B -l 

d B 



£(x,k) = -j- £ lli(\x)(x\ A ®\b)(b\ B )U k . 



b=0 



is e-locking. Moreover, for all £ g [0, n] such that 2 e n > e, it is (I, 2e 3^_ e )-locking. 



21 



Remark. The state that the encoder inputs in the B system is simply private randomness. The encoder chooses a 
uniformly random b £ [d B ] and sends the quantum state ul\x) A \b) B . Note that b does not need to be part of the 
key (i.e., shared with the receiver). This makes the dimension d = cLacLb of the ciphertext larger than the number 
of possible messages 2™. If one insists on having a ciphertext of the same size as the message, it suffices to consider 
b as part of the message and apply a one-time pad encryption to b. The number of possible values taken by the key 
increases to t ■ d B . □ 

Proof First, it is clear that different messages are distinguishable. In fact, for x ^ x' and any k, 



A(£(x,k),£(x',k)) = -tr 



\x)(x\ A <g> — 



t 1 



dim 5 



x')(x'\ A <g> 



1 



dimB 



= 1. 



We now prove the locking property. Let X be the random variable representing the message. Assume that X is 
uniformly distributed over some set S C of size l^l > 2 e . Let K be a uniformly random key in [t] that is 
independent of X. Consider a POVM {Mi} on the system AB. Without loss of generality, we can suppose that 
the POVM elements Mi have rank 1. Otherwise, by writing Mi in its eigenbasis, we could decompose outcome i 
into more outcomes that can only reveal more information. So we can write the elements as weighted rank one 
projectors: M { = | e i )(e i | where & > 0. Our objective is to show that the outcome I of this measurement on 
the state £{X, K) is almost independent of X. More precisely, for a fixed measurement outcome I = i, we want 
to compare the conditional distribution Px\[i=i] with p x . The trace distance between these distributions can be 
written as 

-^\P{X = x\I = i}-P{X = x}\. (24) 



x=0 



Towards this objective, we start by computing the distribution of the measurement outcome I, given the value 
of the message X = x (note that the receiver does not know the key): 



P{I = i\X = x} 



td B 



t-l d B -l 



E E tT[U k \e^ ei \Ul\x)(x\ A ® 



k=0 b=0 
t-lrfs-l 



td 



U E E {^{bfUAeMut^bY 

k=0 6=0 
t-l ds-1 



^E E \(*\ A (b\ B U k \e t )\ 
tdB k=0 b=0 

t-i 

E^le*)^)- 



____ 

d B t 



fe=0 



Since X is uniformly distributed over S, we have that for all x £ S 

P{X = x}P{I = i\X = x} 



P{X = x\I = i} = 



J2 x , eS P{X = x>}P{I = i \X = x'} 



Observe that in the case where X is uniformly distributed over [2"] (S = [2™]), it is simple to obtain directly that 



(25) 



d.A-1 



,PX 



) = \ E \Y,Pu k \e t )( X ) - 4 



< e 



using the fact that {Uk} satisfies a metric uncertainty relation on A. Now let 5* be any set of size at least 2 e , let 
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\ E x . e s E fc <| £s) (*')• We then bound 



d A -i 



\ ]T \P{X = x\I = i}-V{X = x}\ = W 



x=0 



x£S 



(iA)-E fc <| ei) (^) 



t-i 



zGS fc=0 1 1 



< 



1 1 

2a 



EE 



We now use the fact that {£4} satisfies a metric uncertainty relation on A: we get 



1 




1 a 


) 


2" 


+ 


2™~ |5| 





f E 2 E 



1 



< 



t E 2 E 

fe xS[dA 



< e 



and 



As a result, we have 



1 51 



2«" t E E^N)^') 



l'£S fc=0 



< e. 



(26) 



&{px\[i=i\,Px) < 



2e 



a 



Using we have a > |5|2-" - e > 2 £ -' 1 - e. If e < 2^™, we get 

A(px|[i=i],pjf) < 



In the general case when X has min-entropy £, the distribution of X can be seen as a mixture of uniform 
distributions over sets of size at least 2 l . So there exist independent random variables J E N and {Xj} uniformly 
distributed on sets of size at least 2 e such that X = Xj. One can then write 

\ |P {X = x\I = i] - P {X = x}\ = l P i J = 3) ( p {Xj = x\I = i, J = j] - P {X 3 = x\J = 



< 



2c 



2t-n 



□ 



Using Theorem 3.3 together with the existence of metric uncertainty relations (Theorem 12.5) , we show the 
existence of e-locking schemes whose key size depends only on e and not on the size of the encoded message. This 
result was not previously known. 

Corollary 3.4 (Existence of locking schemes). Let c — 9n 2 , n > 8 + log c and e e (0, 1). Then there exists an e-locking 
scheme encoding an n-bit message using a key of at most 21og(l/e) + log (2 • 18clog(l/e)) bits into at most n + 21og(18/e) 
qubits. 

Remark. Observe that in terms of number of bits, the size of the key is only a factor of two larger (up to smaller 
order terms) than the simple guessing lower bound of log(l/(e + 2™)). 

Recall that we can increase the size of the message to be equal to the number of qubits of the ciphertext. The 
key size becomes at most 41og(l/e) + log (2 • 18clog(l/e)) + 10. □ 

Proof Use the construction of Theorem [Z5] with d A = 2™ and d B = 2 q such that 2 9 " 1 < 9/e 2 < 2 q and d = d A d B - 
Take t = 2 P to be the power of two with 2?- 1 < 18clo j (9/e) < 2 P . □ 



The following corollary gives explicit locking schemes. We mention the constructions based on Theorems 2.16 



and 2.17 Of course, one could obtain a tradeoff between the key size and the dimension of the quantum system. 

Corollary 3.5 (Explicit locking schemes). Let S > be a constant, nbea positive integer, e € (2~ c ™, 1) (d is a constant 
independent ofn). 
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Then, there exists an efficient e-locking scheme encoding an n-bit message in a quantum state of n' < (4 + 5)n + 
0(log(l/e)) qubits using a key of size 0(log(n/e)) bits. In fact, both the encoding and decoding operations are 
computable using a classical computation with polynomial running time and a quantum circuit with only Hadamard 
gates and preparations and measurements in the computational basis. 

There also exists an efficient e-locking scheme £' encoding an n-bit message in a quantum state of n qubits using a key 
of size 0(log(n/e) • logn) bits. £' is computable by a classical algorithm with expected runtime 0(n 2 polylogn) and 
a quantum circuit of size 0(n polylog(n/e)). 



Proof For the first result, we observe that the construction of Theorem 3.3 encodes the message in the 



computational basis. Recall that the untaries Uk of Theorem 2.16 are of the form Uk = PkVk where Pk 
is a permutation of the computational basis. Hence, it is possible to classically compute the element of the 
computational basis P^\x)\b). One can then prepare the state P^.\x)\b) and apply the unitary Vl to obtain the 
ciphertext. The decoding is performed in a similar way. One first applies the unitary Vfc, measures in the 
computational basis and then applies the permutation Pk to the n-bit string corresponding to the outcome. 



For the second construction, we apply Theorem 2.17 with n' = n + d [log logn + log(l/e)] for some large 



enough constant d . We can then use a one-time pad encryption on the input to the B system. This increases the 
size of the key by only d [log logn + log(l/e)] bits. □ 

As mentioned earlier (see equation |2TJ), explicit states that exhibit locking behaviour have been presented in 
||DHL + 041. However, this is the first explicit construction of states uj that achieves the following strong locking 
behaviour: for any S > 0, for n large enough, the state uj xck verifies 1 C (X; C% < 6 and I C (X; CK) U = n + log dj< 
where K is a classical 0(log(n/5))-bit system. This is a direct consequence of Corollary |3.5| taking e = <5/(20n), and 



Proposition 3.2 We should also mention that the authors of |KRBM07] explicitly construct a state exhibiting some 



weak locking behaviour. 



3.3 Quantum hiding fingerprints 

In this section, we show that the locking scheme of Corollary |3.4| can be used to build mixed state quantum hiding 
fingerprints as defined by Gavinsky and Ito |GI10j. A quantum fingerprint |BCWdW01J encodes an n-bit string 
into a quantum state p x of n' <C n qubits such that given y E {0, 1}™ and the fingerprint p x , it is possible to decide 
with small error probability whether x = y. The additional hiding property ensures that measuring p x leaks very 
little information about x. Gavinsky and Ito IIGI10I used the accessible information^] as a measure of the hiding 
property. Here, we strengthen this definition by imposing a bound on the total variation distance instead (see 
Proposition |2.2) . 

Definition 3.6 (Quantum hiding fingerprint). Let n be a positive integer, S, e € (0, 1) and C be a Hilbert space. An 
encoding f : {0, 1}" — > S(C) together with a set with a set of measurements {M y , 1 — M v } for each y e {0, 1}" is a 
(5, e)-hiding fingerprint if 

1. (Fingerprint property) For all x € {0, 1}™, tr [M x f(x)} = 1 and for y ^ x, tr [M y f(x)] < 5. 

2. (Hiding property) Let X be uniformly distributed. Then, for any POVM {Ni} on the system C whose outcome on 
f(X) is denoted I, we have for all possible outcomes i, 

&(px\[i=i],Px) < e- 

We usually want the Hilbert space C to be composed of 0(log n) qubits. Gavinsky and Ito |GI10] proved that 
for any constant c, there exists efficient quantum hiding fingerprinting schemes for which the dimension of the 
quantum system C is O(logn) and both the error probability S and the accessible information are bounded by 
l/n c . Here, we prove that the same result can be obtained by locking a classical fingerprint. The general structure 
of our quantum hiding fingerprint for parameters n, 5 and e is as follows: 

1. Choose a random prime p G P n ,e,s uniformly from the set V n ^.i- 

3 The accessible information about X in a quantum system C refers to the maximum over all measurements of the system C of I(X; I) 
where / is the outcome of that measurement. 
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2. Set t = [clog(l/e)e 2 ~|, cIa = p and ds = \d /e 2 ] and generate t random unitaries Ufi, . . . , Uf_ x acting on 
A®B. 

3. The fingerprint consists of the random prime p and the state {Uffi\x mod p) A \b) B where k e [t] and 
fee [ds] are chosen uniformly and independently. The density operator representing this state is denoted 

m = tk Y,kfiK?\ x mod ^ ™&p\ A \b)(b\ B ui. 

Observe that even though this protocol is randomized because the unitaries are chosen at random, it is possible to 
implement it with polynomial resources in n as the size of the message to be locked is 0(log n) bits. In fact, one can 
approximately sample a random unitary in dimension 2°( log n > using a polynomial number of public random bits. 
The mixed state protocol of |GI10| achieves roughly the same parameters. Their construction is also randomized 
but it uses random codes instead of random unitaries. For this reason, the protocol of [GI10J would probably be 
more efficient in practice. 

Theorem 3.7. There exists constants c, d and c", such that for all positive integer n, S,e e (0, 1/4) if we define V n< s,e to be 
the set of primes in the interval [I, u] where 



log 2 (l/e) 
6 e 8 



+ lOn and u = l+ (n/28f 



and provided u < 2™ 2 , the scheme described above is a (5, e)-hiding fingerprint with probability 1 — 2 n ^ over the choice 
of random unitaries. 

The proof of this result involves two parts. First, we need to show that the fingerprint of a uniformly distributed 



X € {0, 1}" does not give away much information about X. This follows easily from Theorem 2.5 and Theorem 



3.3 We also need to show that for every y € {0, 1}™, there is a measurement that Bob can apply to the fingerprint 
to determine with high confidence whether it corresponds to a fingerprint of y or not. In order to prove this, we 
use the following proposition on the Gram-Schmidt orthonormalisation of a set of almost orthogonal vectors. 

Proposition 3.8. Let v[, . . . ,v' r be a sequence of unit length vectors in a Hilbert space. Let < S < ^4-. For any i ^ j, 
suppose | {v'^v'f) | < 5. Let v\,...,v r be the corresponding sequence of vectors got by Gram-Schmidt orthonormalising 
v' v . . . ,v' r . Then for any i, \\vi — v[\\ 2 < d^32(i - 1). 

Proof Since | {v[ | w'-) | < 5 < 1/r for any i ^ j, the vectors v[ , . . . , v' r are linearly independent. Define IIo to be the 
zero linear operator. For i > 1, define 11; to be the orthogonal projection onto the subspace spanned by the vectors 

v[, . . . , v\. Observe that for any i, v[, . . . , v[ and vx,.-.,Vi span the same space, and v i+ i = || 1) '" l " 1 _n-'(7j'' +1 )|| 2 • W e 

shall prove by induction on i that ||IIj(w^)||2 < 4Syi for all i and all k > i. This will prove the desired statement 
since 

H - vi\\t = \\iu-iM)\\l + (i-K-iii-Mh? 
= 11^-1(^)111 + (i- A /i-||n i -iK)lll 

= 2-2 v /l-||n i _iK)||l < 2-2 v /l-16<5 2 (z-l) 
< 325 2 {i-l). 

The base case of i = 1 is trivial. Assume that the induction hypothesis holds for a particular i. Let 1 < j < i + 1 
and k> i + Observe that v' 3 = n jl _ 1 (^-) + Jl - pl~^(ujjjj| vj. We have 



= iKinj-!^)) + y/i- lin^^.jlli Ki^) 
= (n^KJin;-.!^.)} + ^Ji-Wu^m (v' k \ Vj ) 
> yJi-Wiij-xWWZ IKI«i>| - lin.-xK)^ \\Uj-xWh, 
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which implies that 



\(v'M\ < 



IKKX + lin^iKJHaiin^xKOIIa 



^i-l|n,-iK-)ll 



6+l66 2 (j-l) 5 + 6 

- i6<5 2 (j^Ty - TT^l 

< 4(5. 



Thus, ||n i+ i(^)||| = 2}=! I«K")| 2 < 16<5 2 (i + l), which gives ||n i+1 (vQ|| 2 < AS^/iTT completing the induction. 

□ 

Using this result we can prove the following lemma. 

Lemma 3.9. Let {U , ■ ■ • , U t -i\ be a set of unitary transformations on AB that define 7-MUBs and dr 1 ! 2 < l/(16ide) 

where d = dAd B - Define for y e [cLa] the subspace F y = span{u\\y)\b) , k e [t],b € [d B ]}. Then for any x € [d^], y ^ x, 
k e [t] and b e [d B ], 

tr [n Fs I^Jx)|6o)] < 2V%2{td B ) 2 d-\ 
where lip is the projector on the subspace F. 

Proof Consider the set of vector { 1 2/) | }fce [t] ,&e [ds] • We have for all (k,b) ^ (k',b'), 

\{y\{b'\U k ,Ul\y)\b)\<d-^ 2 . 

Picking any fixed ordering on [t] x [d B ], define {\e kt b(y))} k .b to be the set of vectors obtained by Gram-Schmidt 
orthonormalising {ul\y)\b)} ke[t]ibe[dB] . Using Proposition |3ii| we have \\\e k ,b(y)) - ul\y)\b)\\ 2 < d^ /2 ^/d,2td B . 
Thus, 



tr 



nF v uljx}\b )]=J2\My)\utM b °)f 



k.b 



< 



E \\{y\{b'\Uk'Ut o \x)\b )\ + \\\e k , b (y)) ut\y)\b)\\ 2 



k.b 



< td R ■ d~ 



< 2v / 32(td B ) 2 ^ 7 . 



□ 



Proof of Theorem 



3.7 



We start by proving the hiding property. For any fixed p, the random variable Z = X mod p 
is almost uniformly distributed on [p\. In fact, we have for any z € [ p], P {Z = z} < 2 In other words, 

H m j n (Z) > logp — log(l + p2~ n ). Thus, using Theorem 2.5 and Theorem 3.3 we have that except with probability 
exponentially small in n (on the choice of the random unitary), the fingerprinting scheme satisfies for any 



measurement outcome i 



2c 



A(p z \[i=i],Pz) < 1 < 4e 



l+p2- 



where / denotes the outcome of a measurement on the state f{X). Recall that we are interested in the information 
leakage about X not Z. For this, we note that the random variables X, Z, I form a Markov chain. Thus, 



A(px\[i=i],Px) = E 
xe{o.iy- 



E P {Z = z\I = i} P {X = x\I = i, Z = z} - P {Z = z} P {X = x\Z = z} 

ze[ P ] 



= E E P {Z = z\I = i}P{X = x\Z = z} -P{Z = z}P {X = x\Z = z} 

xe{0,l} n zG[p] 

< E \P{Z = z\I = i}-P{Z = z}\ £ P{X = x\Z = z} 

2e[p] xe{a,i}™ 

= &(pz\[i=i],Pz) < 4e. 



26 



This proves the hiding property. 

We then analyse the fingerprint property. Let x, y € [2 n ] and p be the random prime of the fingerprint. 
We define the measurements by M v = Hp for all y £ {0, 1}" where lip is the projector onto the subspace 

F y = span{[/£ |y mod p)\b), k € [£],&€ [d B ]}. If x = y, then /(x) is a mixture of states in span{U% \y mod p) 1 6) , fc e 
[t],be [d B ]}. TbustT[M y f(x)} = 1. 

We now suppose that x ^ y. First, we have P {x mod p = y mod p} = P {x — y mod p = 0} < 5/2 as the 
number of distinct prime divisors of x — y is at most n and the number of primes in [I, u] is at least n/(25) for n 



large enough. Then, whenever x mod p ^ y mod p, Lemma 3.9 gives 

tT[H F J(x)] <2V32(td B ) 2 (d A d B ) 
< 2v / 32 • 4c 2 C 



0.9 



2 , 2 log 2 (l/e) 



c"log 2 (l/e) 

< 5/2 

for c" lar ge e nough with probability 1 — 2~ f2 ( d - 4d - B ) = 1 — 2~ sl '"' over the choice of the random unitaries (using 



Theorem 2.5 1. Finally, we get tr [Hp y f(x)\ < 5 with probability 1 - 2~ Q ^ . □ 



3.4 String commitment 

In this section, we show how to use a locking scheme to obtain a weak form of bit commitment 1BC H + Q6l . 
Bit commitment is an important two-party cryptographic primitive defined as follows. Consider two mutually 
distrustful parties Alice and Bob who are only allowed to communicate over some channel. The objective is to be 
able to achieve the following: Alice secretly chooses a bit x and communicates with Bob to convince him that she 
fixed her choice, without revealing the actual bit x. This is the commit stage. At the reveal stage, Alice reveals the 
secret x and enables Bob to open the commitment. Bob can then check whether Alice was honest. 

Using classical or quantum communication, unconditionally secure bit commitment is known to be impossible 
]May97} ILC97L However, commitment protocols with weaker security guarantees do exist OSROll IDFSS051 
IBCH+06llBCH+08l Here, we address an open question of ||BCH + 81 by constructing an efficient protocol for string 
commitment with nontrivial security parameters using the locking scheme described in the previous section. 

In a string commitment protocol, Alice commits to an n-bit string. Alice's ability to cheat is quantified by the 
number of strings she can reveal successfully. The ability of Bob to cheat is quantified by the information he can 
obtain about the string to be committed. One can formalize these notions in many ways. Here we introduce a 
definition for which a protocol with nontrivial parameters can be achieved. Our definition is similar to the one 
of IBCH+08I except that we use the trace distance instead of the accessible information. Our definition is slightly 
stronger b y virtue of Proposition |3.2| For a detailed study of string commitment in a more general setting, see 
IBCH+08I . 

Definition 3.10. An (n, a, /3)-quantum bit string commitment is a quantum communication protocol between Alice (the 
committer) and Bob (the receiver) which has two phases. When both players are honest the protocol takes the following form. 

• (Commit phase) Alice chooses a string X e {0, 1}" uniformly. Alice and Bob communicate, after which Bob holds a 
state px- 

• (Reveal phase) Alice and Bob communicate and Bob learns X. 
The parameters a and (3 are security parameters. 

• If Alice is honest, then for any measurement performed by Bob on her state px, we have A (px , Px\[i=i] ) < „ where I 
is the outcome of the measurement. 

• If Bob is honest, then for all commitments of Alice: Xiig{oi}-Pi — where p x is the probability that Alice 
successfully reveals x. 

Following the strategy of |BCH + 06|, the following protocol for string commitment can be defined using a 
locking scheme £. 
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• Commit phase: Alice has the string X 6 {0, 1}™ and chooses a key K E [t] uniformly at random. She sends 
the state £(X, K) to Bob. 

• Reveal phase: Alice announces both the string X and the key K. Using the key Bob decodes some value X 1 . 
He accepts if X = X'. 

A protocol is said to be efficient if both the communication (in terms of the number of qubits exchanged) is 
polynomial in n and the computations perform ed by Alice and Bob can be done in polynomial time on a quantum 
computer. The protocol presented in ||BCH + Q8l is not efficient in terms of computation and is efficient in terms of 
communication only if the cost of communicating a (random) unitary in dimension 2™ is disregarded. Using the 
efficient locking scheme of Corollary |3.5| we get 

Corollary 3.11. Let nbe a positive integer and (3 e (n.2~ cn , n) (c is a constant independent ofn). There exists an efficient 
(n,c\og(n 2 1 0), p)-quantum bit string commitment protocol for some constant c independent ofn and j3. 

Proof We use the first construction of Corollary |3 ,5| with e = /3/n. If Bob is honest, the security analysis is exactly 
the same as ||BCH + Q8l . If Alice is honest, the security follows directly from the definition of the locking scheme. 

□ 



3.5 Locking entanglement of formation 

The entanglement of formation is a measure of the entanglement in a bipartite quantum state that attempts to 
quantify the number of singlets required to produce the state in question using only local operations and classical 
communication |BDSW96|. For a bipartite state p XY , the entanglement of formation is defined as 

E f (X;Y) p = min V ft S(I)^. (27) 

where the minimization is taken over all possible ways to write p XY — J^i PiVl^iM^ w ^J2iPi = 1- Entanglement 
of formation is related to the following quantity: 

I^(X;Y')p = maxI(AV) 

{Mi} 

where the maximization is taken over all measurements {Mi} performed on the system Y' and / is the outcome 
of this measurement. Koashi and Winter [KW04J showed that for a pure state \p) XYY , a simple identity holds: 

E f (X;Y) p + I^(X;Y') p = S(X) p . (28) 

Let {Uq, . . . , Ut-i} be a set of unitary transformations of A <g> B ~ C and define 

\p) abca ' k = £ i a > A i 6 > s (^ a > ® i 6 >) c i°> A » A '- 

A B k£[t],a£[d A ],b£[d B ] 



If {Uq, . . . , Ut-i} satisfies an e-metric uncertainty relation, then we get a locking effect using Theorem 3.3 and 
Proposition 3.2 In fact, we have I'* - (A; C) p < 2e log (1a + ??(e) and 1*~ (A; CK) = log d,A- Thus, using p8) , we get 

B f (A; A'BK) P = S(A) P - I^(A; C) p > (1 - 2e) \ogd A - ry(e) 

and discarding the system K of dimension t we obtain a separable state 

E f (A;A'B) p = 0. 

Explicit states exhibiting weak locking behaviour of the entanglement of formation have been presented in 
| HHHO05 1 . Strong but non-explicit instances of locking the entanglement of formation were derived in | HLW06 1 . 
Here, using Theorem 2.16 we obtain explicit examples of strong locking behaviour. 
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4 Quantum identification codes 



The most common task studied in information theory is that of transmitting information from a sender to a receiver 
over a noisy channel. Shannon's theorem |Sha48| quantifies the amount of information that can be transmitted 
reliably per use of the channel as the number n of uses grows. Naturally for nontrivial channels, the number of 
messages one can send reliably grows exponentially in n (in other words, the number of bits in the message grows 
linearly in n). Now suppose that we are aiming for a weaker task in which the sender (Alice) holds a message 
x G {0, 1}" and the receiver a message y G {0, 1}". The receiver does not want to determine x completely but 
he merely wants to decide whether x = y or not. This task is usually called identification |AD89|. It turns out 
that for nontrivial channels, using randomization at the encoder, it is possible to identify 2 2ii ™ messages for some 
R > by using the channel n times [AD89J. If the channel is noiseless, this result is well-known in communication 
complexity: the randomized (private-coin) communication complexity of the equality function is logarithmic in n 
IIKN97I . 

A natural quantum analogue to this problem would be for Alice to get a quantum state \tp) G C and Bob a 
state \tp) G C. The objective is then for Bob to be able to simulate the measurement (|y>)(y>|, 1 — |v)(</'|) on the state 
\t/j) | Win04|. There are many possible variations to this problem. In the model we study here, Alice receives the 
quantum state \ip) and Bob gets a classical description of \(p). 

Definition 4.1 (Quantum identification [Win04]). Let r Hi,'H.2,C be Hilbert spaces and e G (0,1). An e-quantum- 
ID code for the channel Af : SCHi) — > S{H.2) consists of an encoding map £ : S(C) <S("Hi) and a set of POVMs 
(D v , 1 — D v ) acting on S{%2), one for each pure state \<p) such that 



< e. 



A rate R is said to be achievable for quantum identification over Af if for all e > and n large enough, there exists 
an e-quantum-ID code for A/" 8 ™ with encoding domain C of dimension at least 2 nR . The quantum identification capacity 
Qid(A0 is defined as the supremum of achievable rates for Af. 

Winter |Win04| showed that the quantum identification capacity of the noiseless qubit channel id 2 is 2. Note 
that unlike the classical identification problem, the number of qubits one can identify using a noiseless qubits 
channel grows only linearly in the number of uses of the channel. 

Hayden and Winter 1IHW1 1 showed that classical communication cannot be used for quantum identification. 
In other words, QiD(id2) = where id 2 is the noiseless (classical) bit channel. However, having access to a noiseless 
qubit channel makes classical communication useful. More precisely, the amortized quantum-ID capacity of the 
noiseless bit channel is 1, where the amortized capacity is defined as follows. 

Definition 4.2 (Amortized quantum-ID capacity IIHW10I '). A rate R is said to be achievable for amortized quantum 
identification over Af if for all e > and n large enough, there exists an e-quantum identification code for idf m ® M® n 
with encoding domain C such that R < ^ (log dim C — 2m). The amortized quantum identification capacity Q c {^(Af) 
is defined as the supremum of achievable rates for Af. 

Remark. In the expression of the rate, we subtract 2m from log dim C because the quantum identification capacity 
of a noiseless qubit channel is two and we are interested in quantifying the contribution of Af. □ 

Here, we give an explicit family of quantum identification codes for the noiseless bit channel that achieve the 
capacity Q'^ (ic^) = 1. Moreover, the encoder £ can be computed by a quantum circuit of polynomial size and 
almost linear depth using polynomial time classical preprocessing (that depends only on n and not on the state 
| 0) G C 2 ). Our proof also gives a better bound on the number of uses m of the noiseless quantum channel: m 
can be taken to be 0(log 2 n). To do this, we use the metric uncertainty relation {Uq, Ui, . . . , Ut-i} of Theorem 
2.17 The construction is illustrated by Figure [3] Our proof uses the duality between quantum identification and 



approximate forgetfulness |HW10|. More specifically, we use Theorem 7 of IIHW10I . We state the part of the 
theorem needed here: 

Theorem 4.3 (Identification and forgetfulness, Theorem 7 in BHW10I0 . Let e > and yC^ABKE ^ e an i some f r y 
satisfying 



V|V) 6 C, A (tr ABK (V^) , < e. 



Then, there exists a family of POVMs — D v ) for \<p) G C such that together with the encoding map £(■) 

tr E (V ■ V^), they define an -q-quantum-lD code for the noiseless quantum channel with rj = 6c 1 / 4 . 
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Outcome 
of 

measurement 



Classical description of \ip) 



Figure 3: The system K is prepared in a uniform superposition state \ ^ k \k). Then, controlled by system K, the 
unitary Uk is applied to C = A®B. The A system is then measured in the computational basis. The outcome of this 
measurement is sent through the classical channel. The systems B and K are sent using the noiseless quantum 
channel. The receiver constructs a POVM D v based on a classical description of his state \<p) and the classical 
communication he receives. 



Theorem 4.4 (Quantum identification using a classical channel). Let nbea positive integer and e € (2 c n , 1) (where d 
is a constant independent ofn). Then for some m = 0(log(n/e) • log(n)), there exists an e-quantum-ID code for the channel 
idf m ® id 2 " encoding a system of at least n qubits. Moreover, the encoding map £ can be implemented by a quantum circuit 
of size 0(n 2 polylog(ra/e)). With polynomial-time classical precomputations, the depth of the quantum circuit can be made 
0(n polylog(n/e)). 

Remark. Note that log (La < n uses of the classical channel id 2 would be sufficient. We do not include it to simplify 

we can 



the statement of the theorem. It is also worth observing that using the existential result of Theorem 2.5 
make the number of uses m of the quantum channel depend only on the error e, namely m = 0(log(l/e)). □ 

Proof Let { C/o , ■ • ■ , [/t- 1 } be a set of unitaries on n qubits given by Theorem |2 . 1 7| verif ying an e'- metric uncertainty 
relation with e' = (e/6) 4 . We start by preparing the uniform superposition ^ X)l=o \k) K and apply the unitary C/fc 
on system C controlled by the register K. We get the state ^ J2k \k) K {Uk\ip)) AB ■ The next step is to measure the 



system A in the computational basis. To apply Theorem 4.3 we purify this operation by introducing a new ancilla 



system E initialized to |0) having the same dimension as A. We replace the measurement on A by a coherent copy 
(controlled-NOT) of the computational basis of A into the ancilla E. We obtain the state 



lp) KABE 1 £ {k) K {{a \A {bl B Ukm) ^ 
k,a,b 



B\ \E 
0) . 



We now verify that the reduced state on E is close to maximally mixed for all states 



P E = \ E \(a\ A (b\ B U k m\ 2 \a)(a\ E = (a)|a)(a| £ . (29) 

fc,a,b k,a 

As a result, 

= A^^ptf fcW ,unif([d^])J 



1 

dim E 



< 

t ■ 

k 

< e'. 



Using Theorem 4.3 the encoder described in Figure|3]and some set of POVM's (D v , 1 — D v ) form an 77-quantum- 
ID code for the noiseless qubit channel with r\ — 6e^ 4 = e. We conclude by observing that sending the outcome 
of the measurement can be done using a classical channel. The number of uses of the noiseless bit channel is 
log dim A < n. The number of uses of the noiseless qubits channel is m = log dim B + log dim K < c log(n/e) • log(n) 
for some constant c. 
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We now argue that the encoding can be computed by a quantum circuit of size 0(n 2 polylog(n/e)) and depth 
O(npo\y\og(n/e)) using classical precomputation. To obtain this running time, we actually use the 1-MUBs of 
Lemma |2.11| in the construction of Theorem |2.17| The only thing we need to precompute is an irreducible 



polynomial of degree n over F2 [X]. Then, using the same argument as in the proof of Lemma 2.11 we can compute 
the unitary operation that takes as input the state \j) ® \ip) and outputs the state \j) <E> Vj\ip) using a circuit of 
size 0(n 2 polylog n) and depth 0(n polylog n). Since the permutation extractor we use can be implemented by a 
quantum circuit of size 0(n polylog(n/e)), the unitary transformation \k) ® \k) ® Uh\4>) can be computed by 

a quantum circuit of size 0(n 2 polylog (n/e)) and depth 0(n polylog(n/e)). □ 

This result can be interpreted in terms of the communication complexity of a quantum measurement simulation 
problem. Alice is given n-qubit states \ip) G C and Bob is given a classical description of \<p) E C. Namely, Bob 
wants to output 1 with probability in the interval [| (tp\f) | 2 — e, K^l'/ 3 )! 2 + £ ] and with probability in the interval 
[1 — KV'I'y 5 ) 1 2 — e ^ 1 — KV'I'/ 9 )! 2 + e ]- The previous theorem shows that this task can be accomplished using 0(log 2 n) 
qubits of communication and n bits of classical communication. Using the non-explicit result of Theorem 2.5 we 
can show that 0(log(l/e)) qubits and n bits of communication are enough. 

This result can be thought of as an analogue of the well-known fact that the public-coin randomized 
communication complexity of equality is 0(log(l/e)) for an error probability e. Quantum communication replaces 
classical communication and classical communication replaces public random bits. Classical communication can 
be thought of as an extra resource because on its own it is useless for quantum identification [HW10, Theorem 11]. 



5 Conclusion 

We have seen how the problem of finding uncertainty relations is closely related to the problem of finding large 
almost Euclidean subspaces of £1(^2)- Even though we did not use any norm embedding result directly, many of 
the ideas presented here come from the proofs and constructions in the study of the geometry of normed spaces. 
In particular, we obtained an explicit family of bases that satisfy a strong metric uncertainty relation by adapting a 
construction of Indyk |Ind07|. Moreover, using standard techniques from asymptotic geometric analysis, we were 
able to prove a strong result on the uncertainty relations defined by random unitaries | HLSW04 1 . 

We used these uncertainty relations to exhibit strong locking effects. In particular, we obtained the first explicit 
construction of a method for encrypting a random n-bit string in an n-qubit state using a classical key of size 
polylogarithmic in n. Moreover, our non-explicit results give better key sizes than previous constructions while 
simultaneously meeting a stronger locking definition. In particular, we showed that an arbitrarily long message 
can be encrypted with a constant-sized key. Our results on locking are summarized in Table [I] We should 
emphasize that, even though we presented information locking from a cryptographic point of view, it is not a 
composable primitive because an eavesdropper could choose to store quantum information about the message 
instead of measuring. For this reason, a locking scheme has to be used with great care when composed with other 
cryptographic primitives. 

As a cryptographic task, one could compare a locking scheme to an entropically secure encryption scheme 
|RW02, DS05|. These two schemes achieve the same task of encrypting a high entropy message using a small 
key. The security definition of a locking scheme is strictly stronger. In fact, for a classical eavesdropper (i.e., an 
eavesdropper that can only measure) an e-locking scheme is secure in a strong sense. This additional security 
guarantee comes at the cost of upgrading classical communication to quantum communication. With respect to 
quantum entropically secure encryption |Des09 DD10], the security condition of a locking scheme is also more 
stringent. However, a quantum entropically secure scheme allows the encryption of quantum states. 

Nonetheless, we note that an e-locking scheme also hides the message from an adversary that keeps a small 
quantum memory. In fact using the same technique as ||HMR + I0l Corollary 2] based on |RRS09|, if the adversary 
is allowed to store m qubits, then the joint state of the message and the ciphertext is (c2 m / 2 e)-close to a product 
state for some constant c. For example, if m — 0(log n), then a key of logarithmic size can still be used. 

A locking scheme can also be seen as a (weak) quantum key distribution protocol. In quantum key distribution, 
a stronger security definition should be required and it is satisfied by the BB84 protocol [BB84 , SPOO ] . The main 
advantage in a locking scheme is that there is only one round of one-way quantum communication; there is no 
additional interaction between the two parties. With this restriction, it is actually impossible to obtain strong 
security conditions for a protocol that starts with a small key. 

We also used uncertainty relations to construct quantum identification codes. We proved that it is possible to 
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identify a quantum state of n qubits by communicating n classical bits and 0(log(l/e)) quantum bits. We also 
presented an efficient encoder for this problem that uses 0(log 2 (n/e)) qubits of communication instead. The main 
weakness of this result is that the decoder uses a classical description of the state \<p) that is in general exponential 
in the number of qubits of \ip). But as shown in [Win04], if Bob was to receive a copy of the quantum state \(p), the 
task of quantum identification becomes the same as the task of transmission. It would be interesting to define a 
notion of quantum identification that can be achieved using less communication than transmission and that would 
allow for efficient encoding and decoding operations. 
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Appendices 

A Existence of metric uncertainty relations 



In this section, we prove the lemmas used in Theorem 2.5 
Lemma 



2.6 



(Average value of if {if ) on me sphere). Let \<p) AB be a random pure state on AB. Then, 

r(4f ) r( dAd * +1 ) ~ V d B 



, , , \ i r -i T( dB+1 ) r( d Ad B \ I f 

^E{F[pfc } ,unft[dA]))} =e{|||^ s ||^ ( ,s ) } = [ J , ' \ J ,{. > Jl- 



Proof The presentation uses methods described in [Bal97 |. 

Observe that the random variable |||( ( 9)' 4s ||i2 is distributed as the l\ A {l 2dB ) norm of a Haar-distributed real 
random vector on § 2d Arfs-i We define for integers n and m the norm ^(i™) of a real n + m-dimensional vector 
{ v i,j}ie[n],je[m] as ror t ne complex case (Definition [23jl 



2 

h3 I ■ 



Note that we only specify the dimension of the systems as the systems themselves are not relevant here. In the 
rest of the proof, we use || • ||i 2 as a shorthand for || • \\ p d A 2d So our objective is to evaluate the expected value 

E{ || 6 1| 12} where 9 has the Haar distribution on the real sphere § s_1 and s = 2d. For this, we start by relating the 
E { || Z\\ 12} and E { || 8 1| 12} where Z has a standard Gaussian distribution ont s . By changing to polar coordinates, 
we get 

5 <C«=1 x i 



E{||Z|| 12 } = / R J N | 12 ^1-^^ 



uJ re ^W^-^WTW r dr 



where a is the normalized Haar measure on § s 1 and T is the Gamma function T(z) = L * 



s/2 

term r ^ +1 , is the surface area of the sphere in dimension s — 1. Using the equality T(z + 1) = zY(z), we have 
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S7r — Thus 
r(f+i) ~ r(f) ■ inus ' 



V{\\Z\\ 12 }= / r'e^^dr- \\e\\ 12 da(9) 

r s e" r2/2 dr- / ||0|| 12 d<j(0) 



1 



2 s /2-ir(f ) 7 



We then perform a change of variable u = r 2 /2: 



E{||^||i 2 } = 2s/2 _ 1 lr(§) J™ (2u)^' 2 e^du ■ jf^ ||0|| 12 d<7(0) 



2 (--i)/2r(M + 1) 



||0||i 2 dcx(0) 



E{||6|| 12 }. (30) 



\^r(^±i) 



r(f) 



Now, we compute 



E{||z|| 12 }./ R j N | 12 flg^d, 



i=0 " m 

where we decomposed x = (xq, . . . , Xd A -i) where Xi g R 2dB . As all the terms of the sum are equal 

1 II |2 / i|i || 2 \ d,A — 1 

f e -n x °\i2 ( f g-slbilU \ 

V{\\Z\\ 12 } = d A J K2dB ll^ll,—-^ ^ -j^dx.j 

\/2T( 2dB+1 ) r 



v^r(^f±i) 



r(dB) ' 

To get the second equality, we use the same argument as for | [30) . We conclude using equation f30 

E 



)} = E{||e|| 12 } 

r(d B + 1) r(d A d s ) 



r(d B ) r(d A d B + i) 



We now prove the inequality in the statement of the lemma. We use the following two facts about the T 
function: logT is convex and for all z > 0, T(z + 1) = zT(z). The first property can be seen by using Holder's 
inequality for example and the second using integration by parts. We have 

logT L + < * log T(x) + i log r(a; + 1) 

= iiog^r^) 2 

= logy/xT(x) 



Thus, F p^- ) 2 ' > < y/x. Similarly, we have f^zrj — \J x ~~ \ which shows that V %^J^ > \jx — |. 
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We conclude that 



E 



{|||V>II#(/?)} 



1 1 

2 yJdAds 



1 - 



2d f 



□ 



Lemma 



2.7 



(Levy's lemma). Let f 



1 — > K and rj > Obe such that for all pure states \<pi), |y>2) * w C d , 
|/dVi»-/(lw»»|<»?||bi)-|^)|| 2 . 



Let \ip) be a random pure state in dimension d. Then for all < 6 < r\, 

P{|/(|^))-E{/^)}|>5}<4exp 
where c is a constant. We can take c = 9n 2 . 



6H 
erf 



Proof We can instead study the concentration of a Lipschitz function on the real sphere § 2d_1 . Note that the 
induced function (that we also call /) is still a-Lipschitz. Concentration on S 2d_1 can be proved in a simple way 
using concentration of the standard Gaussian distribution. This proof is due to Maurey and Pisier and can be 
found in Appendix V of [MS86J. Specifically using Corollary V.2 in [MS86J, we get 



P{\f(Z)-E{f(Z)}\ >t}<2exp 

< 4 exp I - 



S 2 (2d) \ 

18ttV ) 
S 2 d 



2 exp 



2d 
2^2 



9ttV 



In the notation of the proof of Corollary V.2 IIMS86I , we have set 5 = 1/2. This can be done because using the 
same arguments as in the proof of Lemma 2.6 we can show that the expected £2 norm of the standard Gaussian 

distribution in dimension n at least \f2\l n — i > Jn for n>2. 



We used this version of Levy's lemma because it has an elementary proof and it gives directly the concentration 
about the expected value. Different versions involving the median of / and giving better constants can be found 
in Corollary 2.3 of [MS86 1 or Proposition 1.3 in [LedOl] for example. □ 



Lemma 



2.9 



((5-net). Let 5 G (0, 1). There exists a set Af of pure states in C with \J\f \ < (3/6) such that for every pure 



state \ip) e C d (i.e., IHV-Olh = V, there exists e Af such that 



< 6. 



Proof A proof can be found in [HLSW04] as Lemma II.4. 



□ 



2.8 



(Concentration of the average). Let a,b > 1, 6 € (0, 1) and t a positive integer. Suppose X is a random 



Lemma 

variable with mean satisfying the tail bounds 

P {X > 6} < ae- bs2 and P {X < -6} < a, 
Let Xi, . . . X t be independent copies of X. Then if 6 2 b > 16a 2 ir, 



< 



exp 



6 2 bt 
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Proof For any A > 0, using Markov's inequality 

p|£^>4=p|e*p(A£ X k ] > cxp (XtS) 



. k=l ) K \ k=l 

( / * 



-XtS 



<E jcxp ^A^X fe J j e - 
=E{ e A *} ^ e - At5 . 

We now bound the moment generating function E {e xx } of X using the tail bounds. 



E 



/•OO 

{e AX } = / P{e A * >«}du 
Jo 



, .., lnw , , 
P ' X > — J. ,/,/ 

„ Z" 00 / 61n 2 u\ , 
< 1 + / a exp I ^— I 

/*°° / bz 2 \ z 
= 1 + a j cxp I -^2" J e dz 



by making the change of variable z = log u. 



E{e AX } <l + a j exp ^- 



A 2 \ 2b 4b 



<l + aexp(^) |^exp(-A(z-^) ] d* 
1 + a cxp ( ^— | — ^= / exp I — — I d\t 



V2^A /A 2 
1 + a — =- • exp — 
726 V 4fo 



, /A 

l,a — =r- • 



< 2 max 1, a — =7- • exp . 

We choose A = 25b (this is not the optimal choice but it makes expressions simpler), 

' ' ' ' /ttAV (\H 



P X k > tS \ < max ( 2\ ( 2a ^" J ' ex P ) ) CX P 



= max (cxp (-26 2 bt + 1 In 2) , cxp ^<5 2 &t - 2(5 2 6t + t ln(4aV7r<5\/6)) ) 
= max |cxp ({-25 2 b + In 2) t) , cxp ((-<5 2 & + ln(4a\/W6)) i) } . 

Claim. For all c > 1 and x > c 

-ln(cx) -x < -|. 

The function x i->- | — § ln(cx) is increasing for x > 1. It suffices to show that it is nonnegative for x = c. To see 
that, we differentiate the function y i-» y - ln(y 2 ) to prove that for all y > 1, we have y — ln(y 2 ) > 0. This proves 
the claim. 

Using this inequality, we have for <5 2 6 > 16a 2 n, 

-<5 2 6 + ln(4a v / ^V / 6) < — — and -2<5 2 6 + ln2< — — . 
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Finally, 



exp 



,fe=i 



5 2 bt 
2 



□ 



B Proof of Lemma 2.11 



We define Vq = 1, and the remaining unitaries are indexed by binary vectors u G {0, 1}™, for example the binary 
representations of integers from to r — 2. The construction is based on operations in the finite field F 2 « . The field 
F 2 n can be seen as an n-dimensional vector space over F 2 . Choose 9 E F 2 ™ such that 1,0,..., ,i_1 forms a basis of 
F 2 » . For any x,y £ [n], 9 X ■ 9 y £ F 2 ™ can be decomposed in our chosen basis as 9 X ■ 9 y = Y^IZq m i{ x i y)S l for some 
meix, y) £ F 2 . We can thus define the matrices M , Mi, . . . , M„_i from the multiplication table 

•(1 9 ... 9 n - x ) =Mo + M 1 + --- + A/ n _ 1 0"- 1 . 

where Mg — (me(x, y)) x ,pe[n]- F° r a given u g {0, 1}™, we define the matrix 

Notice that as 8 X ■ 8 y = 9 x+y , the entry N u {x,y) of N u only depends on x + y, i.e., N u (x,y) — N u (x',y') if 
x + y = x' + y'. So we can represent this matrix by a vector a u (x + y) = N u (x, y) of length 2n — 1. We then 
define a quadratic form on Z 4 by: for v € {0, 1}™, 

T U (V) = v T N u v mod 4. 

Note that the operations v T N u v are not performed in F 2 but rather in Z. Using the vector a„, we can write 

2n-2 / z \ 

= X! v xN u (x,y)v y mod 4 = ^ I mod 4 

x,j/e[n] z=o \x=o / 

if we define v x — for x > n. We then define the diagonal matrix D u = diag {i T ^) ve gn- Finally, we define for 

1 < j < r - 1, 

where binQ') € {0, l} n is the binary representation of length n of the integer j. 

The fact that these unitaries define mutually unbiased bases was proved in [WF89J. We now analyse how fast 
these unitary transformations can be implemented. Note that we want a circuit that takes as input a state \ip) 
together with the index j of the unitary transformation and that outputs Vj\ip). 

def 

Given the index j as input, we show it is possible to compute u = bin(j — 1) and compute the vector ctj = a u 
in time 0(n 2 polylogn). In fact, we start by computing a representation of the field F 2 ™ by finding an irreducible 
polynomial Q of degree n in F 2 [X], so that F 2 ™ = F 2 [X]/Q. This can be done in expected time 0(n 2 polylogn) 
(Corollary 14.43 in the book |vzGG99|). There also exists a deterministic algorithm for finding a irreducible 
polynomial in time 0(n 4 polylog n) |Sho90J. We then take = X. Computing the polynomial X x ■ X v = X x+y 
mod Q can be done in time O(npolylogn) using the fast Euclidean algorithm (see Corollary 11.8 in |vzGG99|). As 
x + y £ [0, 2n — 2], we can explicitly represent all the polynomials X z for < z < In — 2 in time 0(n 2 polylog n). It 
is then simple to compute the vector a u using the vector u in time 0(n 2 ). 

To build the quantum circuit, we first observe that applying a Hadamard transform only takes n single-qubit 
Hadamard gates. Then, to design a circuit performing the unitary transformation -Dbin(j-i)/ we start by building a 
classical circuit that computes 

T u(v) = [ y^v x v z _ x ) a u (z) mod 4 
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on inputs v and a v . Observing that Ylx=o v xV z -x is the coefficient of Y z in the polynomial [J22=o v xY x J , we can 
use fast polynomial multiplication to compute T u (v) in time 0(n polylog n) (Corollary 8.27 in | vzGG99 1). Moreover, 
computing the inner product of two vectors can easily be implemented by a circuit of depth 0(log n). Thus, T u {v) 
can be computed by a circuit of size 0(n polylog n) and depth O(logn). This circuit can be transformed into a 
reversible circuit with the same size and depth (up to some multiplicative constant) that takes as input (v, ctj,g) 
where v e {0, 1}", ctj £ {0, l} 2 "- 1 and g £ Z 4 , and outputs (v, aj,g + T u (v) mod 4). 

This reversible classical circuit can be readily transformed into a quantum circuit that computes the unitary 
transformation defined by W : \v)\g) i— > \v)\g+T u (v) mod 4). Recall that we want to implement the transformation 
D u : | v) i— > i Tu ( v '\v) efficiently. This is simple to obtain using the quantum circuit for W. In fact, if we use a catalyst 
state \(f>) = |0) - |2) + i|3), we have 

W \V)\4>) = i T ^\v)\4>) = £ ) bm(j-l)| u )l0)- 
Finally, -Dbin(j-i)#® rl can be implemented by a quantum circuit of size 0(n polylog n) and depth 0(log n). 

C Permutation extractors 

In order to prove the existence of strong permutation extractors with good parameters, we use the construction 
of Guruswami, Umans and Vadhan BGUV09I which is inspired by list decoding. Their main construction is a 
lossless condenser based on Parvaresh-Vardy codes. Using this condenser, they build an explicit extractor with 
good parameters. However, this lossless condenser based on Parvaresh-Vardy codes does not seem to be easily 
extended into a permutation condenser. The same paper also presents a lossy condenser based on Reed-Solomon 
codes, which can indeed be transformed into a permutation condenser. This permutation condenser can then be 
used in the extractor construction instead of the lossless condenser giving a strong permutation extractor. In this 
section, we describe this construction. For completeness, we reproduce most of the proof here, except the results 
that are used exactly as stated in IIGUV09I . 

It is also worth mentioning that to obtain metric uncertainty relations, we want strong extractors. Even though 
the extractors in MGUV09I are not directly described as strong, they are essentially strong. In this section, we 
describe all the condensers and extractors as strong. 

Definition C.l (Condenser). A function C : {0, 1}" x S — > {0, 1}™ is an (n, k) — > e (n 1 , k') condenser if for every X 
with min-entropy at least k, C(X, Us) is e-close to a distribution with min-entropy k 1 when Us is uniformly distributed on 
S. A condenser C is strong if (Us, C(X, Us)) is e-close to (Us, Z) for some random variable Z such that for all y e S, 
Z\u s=y has min-entropy at least k. 

A condenser is explicit if it is computable in polynomial time in n. 

Remark. The set S is usually of the form {0, l} d for some integer d. Here, it is convenient to take sets S not of this 
form to obtain permutation extractors. Note also that an extractor is an (n, k) — > e (m, m) condenser. □ 

Definition C.2 (Permutation condenser). A family {P y } y es of permutations of {0, 1}" is an (n, k) — > t (n', k') strong 
permutation condenser if the function P c : (x, y) n- Py (x) where Py (x) refers to the first n' bits of P y (x) is an 
(n, k) — > e (n' , k') strong condenser. 

A strong permutation condenser is explicit if for all y e S, both P y and Py 1 are computable in polynomial time. 

The following theorem describes the condenser that will be used as a building block in the extractor 
construction. It is an analogue of Theorem 7.2 in BGUV09I . 

Theorem C.3. For all positive integers n and i < n, as well as a,e € (0,1/2), there exists an explicit family of permutations 
{RS y } ye s o/Fgt that is an 

(nt, (I + l)t) -> e (it, (1 - a)lt - 4) 

strong permutation condenser with t = \l/a ■ log(24n 2 /e)] and log |5| < t. Moreover, the functions (x, y) h> RS v (x) and 
(x, y) h-> RS~ 1 (x) can be computed by a circuit of size 0(n polylog(n/e)). 

Remark. Note that the input space of the condenser is {0, 1}"* instead of {0, 1}". But one can see such a condenser 
as a permutation condenser (P' y ) on the smaller space {0, 1}™ defined by P'(x) = P y (x0 t ) for all x £ {0, 1}" where 
xO* is obtained by appending t zeros to x. □ 
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Proof Set q = 2 l and e = e/6. Consider the function C : F™ x ¥ q -> F^ +1 defined by 

C(f,v) = \y,M,Mv),~-J(C t - 1 v)] 

where F™ is interpreted as the set of polynomials over F g of degree at most n — 1 and £ is a generator of the 
multiplicative group F* . First, we compute the input and output sizes in terms of bits. The inputs can be described 
using log |F™| = nlogg = nt bits, the seed using log |F 9 | = t bits and the output using log |F^ +1 | = (£ + l)t. Using 
Theorem 7.1 in |GUV09], for any integer h, C is a 



q 



(Ah 1 -I 



nt, log ( ^— j 1 ^ 2£0 \£t + t, log ) I (31) 



condenser where A = e a q — (n — l)(h — 1)1. We now choose h = [q 1 a ~\. As q > (4n 2 /eo) 1 ^ Q , we have 
A > e a q — n 2 h > e q — e q a /4 • (q 1 ~ a + 1) > eo<7/2. Thus, we can compute the bounds we obtain on the condenser 
C: 

log f ^-Jll ) = ft + log(l/e ) < (J + l)t 



Co 



and 



los (^rJ =log (^J +log ( 1 -s?J 



> \og(q/4)+£\ogh- 1 

> t+(l- a)&-3. 

Plugging these values in equation < |3"T) , we get that C" is a 

(nt, (£ + ^ 2eo + *, (1 - + * - 3)) (32) 

condenser. 

Observe that the seed y is part of the output of the condenser. As we want to construct a strong condenser, 
we do not consider the seed as part of the output of the condenser. For this, we define C : FJ x F, 4 ¥ q by 
C(/; y) = ■ • ■ i f(( i ~ 1 y)}- Moreover, as will be clear later when we try to build a permutation condenser, we 

def 

take the seed to be uniform on S = F* instead of being uniform on the whole field ¥ q . Note that this increases the 
error of the condenser by at most 2~* < eo (because one can choose Uf* = Uy t with probability 1 — 2 _t ). Here and 
in the rest of this proof, we will be using Doeblin's coupling lemma. 

Equation f32~) then implies that if X has min-entropy at least (£ + l)t and Us is uniform on S, then the 
distribution of (Us, C(X, Us)) is 3e -close to a distribution with min-entropy at least (1 — a)£t + t — 3. Let Y e S 
and Z e {0, 1}(^+ I ) t be random variables such that H min (F, Z) > (1 - a)£t + t - 3 and (U s , C(X, U s )) = (Y, Z) 
with probability at least 1 — 3e . If Y was uniformly distributed on S, then it would follow directly that for all 
y € S, H m i n (Z\Y = y) > (1 — a)£t. However, Y is not necessarily uniformly distributed. We define a new random 
variable Z' by 

' Z if Y= U s 
U' if Y^ U s 



Z' = 



where U' is uniformly distributed on {0, and independent of all the other random variables. We have for 
any z € {0, l}^ 1 )' and y £ S, 

P{Z' = z\U s = y] = T (P{Z' = z,Y = y,Y = U s } + P{Z' = z,U s = y,Y^ U s }) 

r{U s = y\ 

< ^ ( n-(l-a)(t-i+3 , ,-(£+l)t J_ 

-P{u s = y}\ + '\S\ 

< 2 • 2~( 1 ~ Q ) ft+3 

Moreover, we have (Us,C(X, Us)) — (Us, Z') with probability at least 1 — 6e . 
We conclude that C is a 

(nt, (I + l)t) -> e (it, (1 - a)£t - 4)) (33) 
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strong condenser. 

To define our permutation condenser, we set the first n' = it bits RS y (x) of RS y (x) to be RSy (x) = C{x, y). 
We then define the remaining bits by defining RSy(f) = [f(( e y), ■ ■ • , f{C n ~ 1 y)]- As g > n — 1 and ( is a generator 
of F*, the elements y, £y, . . . , C n_1 ?/ are distinct provided y 7^ 0. So for y ^ 0, (RS C , RS R ) y (f) is the evaluation of 
the polynomial / of degree at most n — 1 in n distinct points. Thus, / 1— > P y (f) is a bijection in F^ for all y 7^ 0. 
This is why the value for the seed was excluded earlier. 

Concerning the computation of the functions RSy and RSy , they only require the evaluation of a polynomial 
on elements of the finite field ¥ q . Computations in the finite field ¥ q can be performed efficiently by finding an 
irreducible polynomial of degree log q over F2 and doing computations modulo this polynomial. In fact, finding 
an irreducible polynomial of degree log q over F2 can be done in time polynomial in log q (see for example [Sho90J 
for a deterministic algorithm and Corollary 14.43 in the book [vzGG99j for a simpler randomized algorithm). 
Since addition, multiplication and finding the greatest common divisor of polynomials in F2[X] can be done 
using a number of operations in F 2 that is polynomial in the degrees, we conclude that computations in ¥ q 
can be implemented in time O (polylog (n/e)). Moreover, one can efficiently find a generator £ of the group 
F*. For example, Theorem 1.1 in |Sho92| shows the existence of a deterministic algorithm having a runtime 
O(poly(log( ? ))) = O(polylog(n/e)). 

To evaluate RS y at a polynomial /, we compute the field elements y,Qy,..., C, n ~ 1 y, and then evaluate the 
polynomial / on these points. Using a fast multipoint evaluation, this step can be done in 0(n polylog n) number 
of operations in ¥ q (see Corollary 10.8 in |vzGG9 9'0. Moreover, given a list [f(y), . ■ ■ , f(( n ~ 1 y)] ror y 7^ 0, we can 
find / by fast interpolation in ¥ q [X] (see Corollary 10.12 in ltvzGG 99D, As a result RSy 1 can also be computed in 
0(n polylog n) operations in ¥ q . □ 

This condenser will be composed with other extractors, the following lemma shows how to compose 
condensers. 

Lemma C.4 (Composition of strong permutation condensers). Let (Pi. yi ) yi es 1 be an (n,k) — > e (n',k r ) 
strong permutation condenser and (P 2 y2 ) V2 es 2 be an (n',k') — > e (n",k") strong permutation condenser. Then 
{Pv)vHyuy2)es^s 2 = (if, if) where Pg y2 = P£ y2 o Pf^ and P y R iy2 = (P 2 R y2 o pC y J • P* yi is an (n, k) (n", k") 
strong permutation extractor. 

Proof P y is clearly a permutation of {0, 1}". We only need to check that P is a strong condenser. By definition, 
if H min (X) > k, (Us 1 , P\.u Sl (^0) 1S e " c l° se to (Usi 7 Z) where Z\u Si=yi has min-entropy at least k'. Now putting Z 
into the condenser P§ , we get that for any y\, {Us 2 ,P2.u S2 i^Us 1 ) i s £ -close to (Us 2 , Z 2 ) where Z2\\j S2 =y 2 has min- 
entropy at least k" for any y 2 G S%. Thus, Z2 \ u 3 U s =1/13/2 ^as min-entropy at least k". Moreover, by the triangle 
inequality, wehave A^(U Sl ,Us 2 ,Pg iUs2 (X)),(U Sl> Us 2 ,Z 2 )) <2e. □ 

Next, we present one of the standard extractors that are used as a building block in many constructions. 

Lemma C.5 ("Leftover Hash Lemma" extractor |ILL89|). For all positive integers n and k < n, and e > 0, there 
exists an explicit family (P y ) y<£ s of permutations of {0,1}™ that is an (n,k) — > e m strong permutation extractor with 
log I SI = log(2" - 1) and m > fe-21og(2/e). 

Proof We view {0, 1}" as the finite field ¥ 2 n and the set S = ¥ 2 n. We then define the permutation P y (x) = x ■ y 
where the product x ■ y is taken in the field F 2 « . The family of functions P y is pair-wise independent. Applying the 
Leftover Hash Lemma [ILL89J, we get that if Y uniform on F 2 n, the distribution of the first \k — 2 log(l/e)] bits of 
Py (X) together with Y is e-close to uniform. Now if Us is only uniform in F 2 „, (Us, Pu s (X)) is e + 2~™-close to the 
uniform distribution. The result follows from the fact that we can suppose e > 2~ n (otherwise, k — 2 log(l/e) < 
and the theorem is true). □ 

The problem with this extractor is that it uses a seed that is as long as the input. Next, we introduce the notion 
of a block source. 

Definition C.6 (Block source). X = (Xi,X 2 , ...,X S ) is a (k%, k 2 , . . . ,k s ) block source if for every i G {1, . . . , s} and 

xi, . . . ,Xi-i, X\x 1 =xi,...,x i _ 1 =x i ^ 1 i sa h-source. When ki = ■ ■ ■ = k s = k, we call X a s x k source. 

A block source has more structure than a general source. However, for a source of large min-entropy k (or 
equivalently with small entropy deficiency A = n — k), one does not lose too much entropy by viewing a general 
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source as a block source where each block has entropy deficiency roughly A. See Corollary 5.9 in MGUV 09 1 for a 
precise statement. 

Lemma C.7 (Lemma 5.4 in BGUV0 91). Let she a (constant) positive integer. For all positive integers n and i < n and all 
e > 0, setting t = |~8slog(24n 2 • (4s + l)/e)l, there is an explicit family {L y } ye s of permutations of{0, 1}™ that is an 

(n, 2lt) -> 6 et 

strong permutation extractor with log \S\ < 2£t/s + t. 

Proof As the extractor is composed of many building blocks, each generating some error, we define eo = e/(4s + 1) 
where e is the target error of the final extractor. The idea is to first apply the condenser RS of Theorem |C.3| with 
a = to obtain a string X' = C(X, Uw* t ) of length n' — (21 — l)t which is eo-close to a fc'-source where 

k'=(l-~\ (2£-l)t-A 

The entropy deficiency A of this /c'-source can be bounded by A = n' — k' < ( - 2£ 8 ^ 1 - >f + 4. Then, we partition 
X' = (X[,.. .,X' 2s ) (arbitrarily) into 2s blocks of size n" = [n'/2s\ or n" + 1 . Using Corollary 5.9 of MGUV09I , 
(X[, . . . , X' 2s ) is 2se -close to some 2s x k'' '-source where k" = (n" — A — log(l/e )). 

We have A < It /(As) + 3 < £t/(3s) for n large enough. Thus, 

k" > ™ - g - log(l/e ) = - log(l/e ). 



We can then apply the extractor Lemma C.5 to all the 2s blocks using the same seed of size n" + 1. Note that we can 
reuse the same seed because we have a strong extractor and the seed is independent of all the blocks. This extractor 
extracts almost all the min-entropy of the sources. More precisely, if we input to this extractor a 2s x fc"-source, the 
output distribution is 2seo-close to m uniform bits where 

m > 2s ■ (k" -21og(2/e )) > -It - 6slog(2/e Q ) > It. 

Overall, the output of this extractor is e n + 2se + 2se = e-close to the uniform distribution on m bits. 

It only remains to show that the extractor we just described is strong and can be extended to a permutation. 
This follows from Lemma C.4 and the fact the condensers (coming from Theorem C.3 and Lemma [C. 5} are strong 
permutation condensers. □ 

Remark. As pointed out in [GUV09J, a stronger version of this lemma (i.e., with larger output) can be proved by 
using the condenser of Theorem C.3 and the high min-entropy extractor in [GW97J with a Ramanujan expander 
(for example, the expander of [LPS88]). This construction can also give a strong permutation extractor. However, 
using this extractor would slightly complicate the exposition and does not really influence the final extractor 
construction presented in Theorem 2.15 □ 



The following lemma basically says that the entropy is conserved by a permutation extractor. It is an adapted 
version of Lemma 26 in |RRV99 [. 

Lemma C.8. Let {P y }yes isa (n, k) — s- c m strong permutation extractor. LetXbeak-source,then(Us,Pu s {X),P^ s (X)) 
is 2e-close to {U Sx { ^y m , W) where f7s x {o,i} m zs uniform on S x {0, l} m and for all y e S,z € {0, l} m 

H min (W|C/s x{0 ,i}". = (y, z))>k-m- 1. 

Proof As {Py } is a strong extractor, there exists a random variable ^5x{o,i} m uniformly distributed onSx {0, 1}™ 
such that P {(U s ,Pg s (X)) ± U Sxm}m } < e. Define T = {(y,z) eSx{0, l} m : P {P y E (X) =*}<§• 2~ m }. We 
have for every (y, z) ^ T and x € {0, l} r 



1 n—m 



P {P*(X) = x\P y E (X) = z}< X y[ 2 -J-i ~ 

<2 m+1 V{X = Py^x^z)} 

^ 2 — {k—m— 1) 
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We then show that P { (Us, P§ s ) £ r} < e. Using the fact that {Py} is a strong extractor, we have 

|P {u s , U {0A}m e r} - P {(U s ,Pg s ) er}|< £ . 

But recall that, by definition of T,~P {(U S ,P$ S ) G r} < |P [U s , f/{o,i}"> e r}, so we get 

P{(U s ,Pg s )eT}<e. 

Finally we define 

f p* (x) x(u s ,P* (x))tr 
\U' if (U S , p£(X))gT 

where U' is uniform on {0, l} n_m and independent of all other random variables. We conclude by observing that 
with probability at least 1 - 2e, we have (U s , P§ s (X)) = U Sx{QA}m and P§ s (X) = W. □ 

We then combine these results to obtain the desired extractor. The proof of the following theorem closely 



follows Theorem 5.10 in [GUV09] but using the lossy condenser presented in Theorem C.3 and making small 
modifications to obtain a permutation extractor. 

Theorem C.9. For all integers n > 1, all e e (0,1/2), and all k e [200 |~2001og(24n 2 /e)] ,n] there is an explicit 
(n,k) — > e [k/4:\ strong permutation extractor {P y } ye s with \og\S\ < 200 [2001og(24n 2 /e)~|. Moreover, the function 
(x, y) i — ^ P y (x) can be computed by circuit of size 0(n polylog(n/e)). 



Proof If n < 2 ■ 10 6 , we can use the extractor of Lemma|C7|with s = 200 and I > 1 such that 2lt < k < 2(1 + l)t. 
This gives an extractor whose seed has size ^ < 10 4 < 200j2001og(24n, 2 /e)] and that extracts it > \-2(l+l)t > \ 
bits, so the statement still holds true. In the rest of the proof, we assume n > 2 ■ 10 6 . 

The idea of the construction is to build for an integer i > an explicit (n, 2 l ■ 8d) — > e 2 I_1 • 8d using d bits of seed 
by induction on i. Fix t(e) = [200 log(24n 2 /e)] and d(e) = 200t(e). The induction hypothesis for an integer i > is 
as follows: For all integers i' < i and n and e > 0, there is an explicit 

(n,2''-8d(e)) -> e 2 1 '- 1 ■ 8d(e) 

strong permutation extractor with seed size d(e). This extractor is called {Py } y eSf 

For both i = and i = 1 we can use the extractor of Lemma |C . 7| with s = 20. For i e {0, 1}, we obtain an 
(n, 2 l • 8d(e/(4s + 1))) — > e 2 l_1 8d strong permutation extractor with Let e = z^xr- F° r * e {0' 1}' this gives an 



extractor with seed 2 '' 8( l ( n e/81) + * < §jd(e) + §.200 f200 log(81)] < d(e) 



4s+l - 

, pnn Tonnirxr/'aiM <? ri(A 

20 20 V T 20 

We now show for i > — 1 how to build the extractor {Py J ' ) } using the extractors {Py* ^} for i' < i. Using 
the induction hypothesis, we construct the following extractor, which will be applied four times to extract the 
necessary random bits to prove the induction step. The choice of the form of the min-entropy values will become 
clear later. Set e = e/20. 

Claim. There exists an 

(n^-^eo))^ 2 l -d(e ) 
strong permutation extractor {Q y } y eT with seed size log |T| < 



To prove the claim, we start by applying the condenser of Theorem C.3 with a = 1/200 and e = e (so we use 



a seed of size i(eo)). The output X' of size at most 2 l ■ 4.5<i(eo) is then eo-close to having min-entropy is at least 

(1 - a)2 l ■ 4.5d(e ) - t(e ). The entropy deficiency of this distribution is a2 i ■ 4.5d(e ) + ^ < ^'^^ ■ We then 
divide X' into two equal blocks X' = (X[, X' 2 ), and we know that it is 2e close to being a 2 x fc'-source for 

„ _ T • 4.5 d(eo) T • 4 M eo) ^ > f « . 2* - 4.5 - ±) d(e ) 



2 100 ov ' ' ~ \\00 200, 

as log(l/eo) < t(eo) = ^g^- For the extractors we will apply next to this source, we should note that k' > 2d(eo) 
and that 2 l ■ 4d(e ) < k' < 2 l ■ 8d(e ). 
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Random bits 



Figure 4: The extractor Q is obtained by first applying the condenser of Theorem C.3 and decomposing the output 
into two parts. The Leftover Hash Lemma extractor (Lemma |C. 7} is applied to the first half and its output is used 



as a seed for the extractor {Py l coming from the induction hypothesis. 



We now apply the extractor of Lemma C.7 to X[ (viewed as a 2d(eo)-source) using a seed of size 



2ri(e ) 



and 



obtaining X" that is eo close to uniform on d(eo) bits. We then use the extractor {Py obtained by induction 

for i - 2 to the X' 2 (of size 2 ,; • 4.5d(e ) < n) with seed X" (of size d(e )): it is an (n, 2 4 ~ 2 ■ 8d(e )) ^- £o 2 l ■ d(e ) 
permutation extractor. 

The construction is illustrated in Figure |i] Note that the number of bits of the seed is log \T\ < t(e ) + 2d i»°^ < 
^l 2 ^ . This concludes the proof of the claim. 



211 




Random bits 



Figure 5: The permutation extractor {Q y } described in the claim is applied four times with independent seeds in 
order to extract 2 i_1 • 8d(e) random bits. 
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The source X we begin with is a 2 l -8d(e)-source. But we have 2 i -8d(e) > 2 l -8d(e )-2 l -8-200 2 log 20 > 2M.5d(e ) 
so that we can apply the permutation extractor {Q y ) V £T of the claim. We obtain Q§ t (X) which is eo-close to T -d(eo) 
random bits. As Q E is part of a permutation extractor, the remaining entropy is not lost: it is in Qfj T (X). More 



precisely applying Lemma C.8 we get QJj t (X) is e -close to a source of min-entropy at least 2 l ■ 8d(e) — 2 % ■ d(e ) — 1. 
As 2 % • 8d(e) — 2* ■ d(e a ) — 1 > 2 l ■ 4.5d(e ), we can apply the extractor (Q) yeT of the claim to this source. Note 
that the input size has decreased but as mentioned earlier this only makes it easier to extract random bits as one 
can always encode in part of the input space. To apply Q, we use a fresh new seed that outputs a bit string that 
is close to uniform on 2 4 ~ 3 • 8d(eo) bits and the remaining entropy can be found in the R register. We apply this 
procedure four times in total as shown in Figure [5] Note that the reason we can apply it four times is that at the 
last application 2 l ■ 8d(e) — 3 ■ 2 ! ~ 3 • 8d(e ) — 3 > 2 l ■ 4.5c?(e ). As the extractor (Q y ) yf zT has error at most 5e , the 
total error is bounded by 20e = e. 

We thus obtain an 

(n,2 l -8d(e)) -> e 4 ■ 2^ 3 • 8d(e ) 
strong permutation extractor with seed set S = T 4 so that log IS"! < 4 • < d(e). 

a 

By a repeated application of the previous theorem, we can extract a larger fraction of the min-entropy. 



Theorem 2.15 For all (constant) 5 e (0, 1), there exists c > 0, such that for all positive integers n, all k £ [clog(n/e), n], 
and all e € (0,1/2), there is an explicit (n,k) — s> e (1 — 5)k strong permutation extractor {P y } y es with \og\S\ = 
(9(log(n/e)). Moreover, the functions (x,y) m- P y (x) and (x,y) n- P y ' 1 {x) can be computed by circuits of size 
0(n polylog(n/e)). 

Proof We start by applying the extractor of Theorem |C.9| We extract part of the min-entropy of the source and 
the remaining min-entropy is in the R system (Lemma |C.8[|. This min-enrtopy can be extracted using once again 



the extractor of Theorem C.9 After 0(log(l/5)) applications of the extractor, we obtain the desired result. □ 



D Impossibility of locking using Pauli operators 

The objective of this section is to give an example of a construction that is not a locking scheme to illustrate what 
is needed to obtain a locking scheme. The 2x2 Pauli matrices are the four matrices {t,<j x ,a z ,a x <r z } where 

1 \ / 1 

1 o J and *' = [ -1 

For bit strings u, v e {0, 1}™, we define the unitary operation <j x <t v z on (C 2 )®" by 

(7„er, = <t„ a, Qs> ■ ■ ■ 09 (7 "<7 ™. 



It was shown in [AMTdW00| that one can encrypt an n-qubits state perfectly using a key (U, V) of 2n bits. 
To encrypt \ip), one simply applies cr^cr^ to This can be thought of as a quantum version of one-time pad 
encryption. Of course, this encryption scheme also defines a (0, 0)-locking scheme, but the size of the key is 2n 
bits. Recall that we want to use the assumption that the message is random to reduce the key size to something 
like O (poly log (n)) bits. 

Ambainis and Smith | AS04J showed that to achieve approximate encryption, it is sufficient to choose the key 
uniformly at random from a subset S C {0, l} 2 ™ of size only 0(n 2 2 n ). Such pseudorandom subsets are called 
(5-biased sets and have also been used to construct entropically secure encryption schemes [DS05, DD10]. For 
example, |DD10| showed that it is possible to encrypt a uniformly random state by applying a x aY where (U, V) 
is chosen uniformly from a set S C {0, 1}™ of size 0(n 2 ) (see |DS05 DD10] for a precise definition of entropic 
security). Such a scheme can seem like a good candidate for a locking scheme. The following proposition shows 
that this encyption scheme is far from being e-locking. Note that this also shows that the notion of entropic security 
defined in IDes09. DD10I is weaker than the definition of locking. 

Proposition D.l. Consider an e-locking s chem e £ of the form £(x, k = (u, v)) = o^Oy \x) where the message x e {0, l} 71 
and the key u,v <E {0, 1}™ (see Definition 3.1 K Suppose the key K is chosen uniformly from a set S C {0, l} 2 ". Then 
\S\ > (l-e)2". 
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Proof Let X be the message (recall X is uniform on {0, 1}™) and (U, V) be the key. The key is uniformly distributed 
on S. We show that a measurement in the computational basis gives a lot of information about X . Let I be the 
outcome of measuring £ (X, K) in the computational basis. We have for x, i G {0, 1}™, 



P {X = jc|J = i} = P {/ = i|X = x} 
1 

~ W\ 



(n,n)eS 

Observing that the term |(i|cr"a"|x)| 2 £ {0, 1}, we have that for any fixed i, there are at most |5| different values of 
x for which P {X = x\I = i} > 0. Thus, defining T = {x e {0, 1}™ : P {X = x\I = i} = 0}, we have 

A(px|[/=fl,Px) > P{X e T} - P{X e T|J = = |J = 1 - ^. 
By the definition of a locking scheme, we should have 

A(px|[/=i],Px) < e 

which concludes the proof. □ 



References 



[AD89] 



R. Ahlswede and G. Dueck. Identification via channels. IEEE Transactions on Information Theory, 
35(l):15-29,Janl989. 



[Amb09] A. Ambainis. Limits on entropic uncertainty relations for 3 and more MUBs. 2009, arXiv:0909.3720 
[AMTdWOO] 



[AS04] 

[ASWIOa] 

[ASWIOb] 

[Bal97] 
[BB84] 

[BBM75] 

[BCH+06] 

[BCH+08] 



A. Ambainis, M. Mosca, A. Tapp, and R. de Wolf. Private quantum channels. In Proceedings of the 
41st Annual Symposium on Foundations of Computer Science, 2000, pages 547-553, 2000. 

A. Ambainis and A. Smith. Small pseudo-random families of matrices: Derandomizing approximate 
quantum encryption. In Proceedings of RANDOM, pages 249-260. Springer, 2004, |arXiv:quant- 
|ph/0404075| 

G. Aubrun, S. Szarek, and E. Werner. Hastings additivity counterexample via Dvoretzkys theorem. 
2010, |arXiv:i003.4925[ 

G. Aubrun, S. Szarek, and E. Werner. Nonadditivity of Renyi entropy and Dvoretzky's theorem. 
Journal of Mathematical Physics, 51(2):022102, 2010, ;arXiv:0910.il89} 

K. Ball. An elementary introduction to modern convex geometry. Flavors of geometry, 31:1-58, 1997. 

C. H. Bennett and G. Brassard. Quantum cryptography: Public key distribution and coin tossing. In 
Proceedings of IEEE International Conference on Computers, Systems and Signal Processing, volume 175. 
Bangalore, India, 1984. 

I. Bialynicki-Birula and J. Mycielski. Uncertainty relations for information entropy in wave 
mechanics. Communications in Mathematical Physics, 44(2): 129-132, 1975. 

H. Buhrman, M. Christandl, P. Hayden, H. K. Lo, and S. Wehner. Security of quantum bit string 
commitment depends on the information measure. Physical Review Letters, 97(25):250501, 2006. 

H. Buhrman, M. Christandl, P. Hayden, H. K. Lo, and S. Wehner. Possibility, impossibility, and cheat 
sensitivity of quantum-bit string commitment. Physical Review A, 78(2):22316, 2008, arXiv:quant- 
ph/0504078 



[BCWdWOl] H. Buhrman, R. Cleve, J. Watrous, and R. de Wolf. Quantum fingerprinting. Physical Review Letters, 
87(16): 167902, 2001. 



44 



[BDSW96] 

[BW07] 

[DCEL09] 

[DD10] 

[Des09] 

[Deu83] 
[DFHLIO] 

[DFR+07] 

[DFSS05] 

[DHL+04] 
[DPS04] 

[DPS05] 

[DS05] 

[DuplO] 

[Dvo61] 

[Fan73] 

[FLM77] 

[FvdG99] 

[GIIO] 

[G0IO8] 

[GUV09] 



C. H. Bennett, D. DiVincenzo, J. A. Smolin, and W. K. Wootters. Mixed-state entanglement and 
quantum error correction. Physical Review A, 54(5):3824-3851, Nov 1996, ||arXiv:quant-ph/9604 024 

M. A. Ballester and S. Wehner. Entropic uncertainty relations and locking: Tight bounds for mutually 
unbiased bases. Physical Review A, 75(2):022319, Feb 2007, |arXiv:quant-ph/0606244j 

C. Dankert, R. Cleve, J. Emerson, and E. Livine. Exact and approximate unitary 2-designs and their 
application to fidelity estimation. Physical Review A, 80(1):12304, 2009, arXiv:quant-ph/0606161 . 

S. P. Desrosiers and F. Dupuis. Quantum entropic security and approximate quantum encryption. 
IEEE Transactions on Information Theory, 56(7):3455 -3464, Jul 2010 / |arXiv:0707.0691| 

S. P. Desrosiers. Entropic security in quantum cryptography. Quantum Information Processing, 8:331- 
345,2009. 

D. Deutsch. Uncertainty in quantum measurements. Physical Review Letters, 50(9):631-633, Feb 1983. 

F. Dupuis, J. Florjanczyk, P. Hayden, and D. Leung. Locking classical information. 2010, 
larXiv:1011.1612l 

I. Damgard, S. Fehr, R. Renner, L. Salvail, and C. Schaffner. A tight high-order entropic quantum 
uncertainty relation with applications. In Advances in cryptology - CRYPTO '07, Lecture Notes in 
Computer Science, pages 360-378. Springer- Verlag, 2007, arXiv:quant-ph/0612014. 

I. Damgard, S. Fehr, L. Salvail, and C. Schaffner. Cryptography in the bounded quantum-storage 
model. In Proceedings of the 46th Annual IEEE Symposium on Foundations of Computer Science, pages 
449-458. IEEE, 2005, a rXTv:quant-ph/0"5 08222 

D. P. DiVincenzo, M. Horodecki, D. W. Leung, J. A. Smolin, and B. M. Terhal. Locking classical 
correlations in quantum states. Physical Review Letters, 92(6):67902, 2004, arXiv:quant-ph/0303088 

I. Damgard, T. B. Pedersen, and L. Salvail. On the key-uncertainty of quantum ciphers and the 
computational security of one-way quantum transmission. In Advances in Cryptology - EUROCRYPT 
2004, Lecture Notes in Computer Science, pages 91-108. Springer, 2004, arXiv:quant-ph/0407066 

I. Damgard, T. B. Pedersen, and L. Salvail. A quantum cipher with near optimal key-recycling. In 
Advances in Cryptology - CRYPTO 2005, volume 3621 of Lecture Notes in Computer Science, pages 494- 
510. Springer Berlin / Heidelberg, 2005. 

Y. Dodis and A. Smith. Entropic security and the encryption of high entropy messages. Theory of 
Cryptography, pages 556-577, 2005. 

F. Dupuis. A decoupling approach to quantum information theory. PhD thesis, Universite de Montreal, 
2010, |arXiv:1004.1641| 

A. Dvoretzky. Some results on convex bodies and Banach spaces. In Proc. Internat. Sympos. Linear 
Spaces, pages 123-160. Jerusalem Academic Press, 1961. 

M. Fannes. A continuity property of the entropy density for spin lattice systems. Communications in 
Mathematical Physics, 31(4):291-294, 1973. 

T. Figiel, J. Lindenstrauss, and V. D. Milman. The dimension of almost spherical sections of convex 
bodies. Acta Mathematica, 139(l):53-94, 1977. 

C. A. Fuchs and J. van de Graaf . Cryptographic distinguishability measures for quantum-mechanical 



states. IEEE Transactions on Information Theory, 45(4):1216-1227, 1999, arXiv:quant-ph/9712042 



D. Gavrnsky and T. Ito. Quantum Fingerprints that Keep Secrets. 2010, arXiv:1010.5342 

O. Goldreich. Computational complexity: a conceptual perspective. Cambridge University Press, 2008. 

V. Guruswami, C. Umans, and S. Vadhan. Unbalanced expanders and randomness extractors from 
Parvaresh-Vardy codes. Journal of the ACM, 56(4):l-34, 2009. 



45 



[GW97] 

[Has09] 

[HHHO05] 

[HLSW04] 

[HLW06] 

[HMR+10] 

[HSP06] 

[HW08] 

[HW10] 

[ILL89] 

[Ind07] 

[ISIO] 

[Kas77] 

[KN97] 

[KRBM07] 

[KW04] 

[KWW09] 

[LC97] 

[LedOl] 
[Leu09] 

[LPS88] 
[Mat02] 
[May97] 



O. Goldreich and A. Wigderson. Tiny families of functions with random properties: A quality-size 
trade-off for hashing. Random Structures and Algorithms, ll(4):315-343, 1997. 

M. B. Hastings. Superadditivity of communication capacity using entangled inputs. Nature Physics, 
5(4) :255-257, 2009. 

K. Horodecki, M. Horodecki, P. Horodecki, and J. Oppenheim. Locking entanglement with a single 
qubit. Physical Review Letters, 94(20):200501, May 2005, |arXiv:quant-ph/ 0404096 

P. Hayden, D. Leung, P. W. Shor, and A. Winter. Randomizing quantum states: Constructions and 
applications. Communications in Mathematical Physics, 250(2):371-391, 2004, arXiv:quant-ph/0307104 

P. Hayden, D. W. Leung, and A. Winter. Aspects of generic entanglement. Communications in 
Mathematical Physics, 265(1):95-117, 2006, arXiv:quant-ph/ 0407049 



S. Hallgren, C. Moore, M. Rotteler, A. Russell, and P. Sen. Limitations of quantum coset states for 
graph isomorphism. Journal of the ACM, 57(6), Oct 2010. 

R. W. Heath, T. Strohmer, and A. J. Paulraj. On quasi-orthogonal signatures for CDMA systems. 
IEEE Transactions on Information Theory, 52(3):1217-1226, 2006. 

P. Hayden and A. Winter. Counterexamples to the maximal p-norm multiplicativity conjecture for 
allp > 1. Communications in Mathematical Physics, 284(l):263-280, 2008, arXiv:0807.4753| 



P. Hayden and A. Winter. The fidelity alternative and quantum measurement simulation. 2010, 

larXiv:1003.49"94l 

R. Impagliazzo, L. Levin, and M. Luby. Pseudo-random generation from one-way functions. In 
Proceedings of the 21th annual ACM Symposium on Theory of computing, pages 12-24. ACM, 1989. 

P. Indyk. Uncertainty principles, extractors, and explicit embeddings of L2 into LI. In Proceedings of 
the 39th annual ACM Symposium on Theory of Computing, pages 615-620. ACM, 2007. 

P. Indyk and S. Szarek. A simple construction of almost-Euclidean subspaces of via tensor products. 
2010, |arXiv:1001.0041| 

B. Kashin. Sections of some finite dimensional sets and classes of smooth functions. Izv. Acad. Nauk 
SSSR, 41:334-351,1977. 

E. Kushilevitz and N. Nisan. Communication Complexity. Cambridge University Press, Cambridge, 
1997. 

R. Konig, R. Renner, A. Bariska, and U. Maurer. Small accessible quantum information does not 
imply security. Physical Review Letters, 98(14):140502, Apr 2007, |arXiv:quant- ph/051202T| 

M. Koashi and A. Winter. Monogamy of quantum entanglement and other correlations. Physical 



Review A, 69(2):022309, Feb 2004, arXiv:quant-ph/0310037 



R. Konig, S. Wehner, and J. Wullschleger. Unconditional security from noisy quantum storage. 2009, 
larXiv:0906.1030l 

H. K. Lo and H. F. Chau. Is quantum bit commitment really possible? Physical Review Letters, 
78(17):3410-3413, 1997, |arXiv:quant-ph/ 9603004 

M. Ledoux. The concentration of measure phenomenon. American Mathematical Society, 2001. 

D. Leung. A survey on locking of bipartite correlations. In Journal of Physics: Conference Series, volume 
143, page 012008. Institute of Physics Publishing, 2009. 

A. Lubotzky, R. Phillips, and P. Sarnak. Ramanujan graphs. Combinatorica, 8(3):261-277, 1988. 
J. Matousek. Lectures on discrete geometry. Springer Verlag, 2002. 

D. Mayers. Unconditionally secure quantum bit commitment is impossible. Physical Review Letters, 
78(17):3414-3417, 1997,j|jarXiv:quant-ph/9605044l 



46 



[Mil71] V. D. Milman. New proof of the theorem of A. Dvoretzky on intersections of convex bodies. 
Functional Analysis and Its Applications, 5:288-295, 1971. 

[MS86] V. D. Milman and G. Schechtman. Asymptotic theory of finite dimensional normed spaces, volume 1200 

of Lecture Notes in Mathematics. Springer- Verlag, 1986. 

[MU88] H. Maassen and J. B. M. Uffink. Generalized entropic uncertainty relations. Physical Review Letters, 
60(12):1103-1106, Mar 1988. 

[OH05] J. Oppenheim and M. Horodecki. How to reuse a one-time pad and other notes on authentication, 

encryption, and protection of quantum information. Physical Review A, 72(4):042309, Oct 2005, 
|arXiv:quant^ h/030616T| 

[Pis89] G. Pisier. The volume of convex bodies and Banach space geometry. Cambridge University Press, 1989. 

[PvRS09] J. Radhakrishnan, M. Rotteler, and P. Sen. Random Measurement Bases, Quantum State Distinction 
and Applications to the Hidden Subgroup Problem. Algorithmica, 55(3):490-516, 2009. 

[RRV99] R. Raz, O. Reingold, and S. Vadhan. Extracting all the randomness and reducing the error in 
Trevisan's extractors. In Proceedings of the thirty-first annual ACM Symposium on Theory of Computing, 
pages 149-158. ACM, 1999. 

[RVW00] O. Reingold, S. Vadhan, and A. Wigderson. Entropy waves, the zig-zag graph product, and new 
constant-degree expanders and extractors. In Proceedings. 41st Annual Symposium on Foundations of 
Computer Science, 2000, pages 3 -13, 2000. 

[RW02] A. Russell and H. Wang. How to fool an unbounded adversary with a short key. In Advances in 
Cryptology—EUROCRYPT 2002, pages 133-148. Springer, 2002. 

[Sha48] C. Shannon. A mathematical theory of communications. Bell System Technical Journal, 27:379-423, 
1948. 

[Sho90] V. Shoup. New algorithms for finding irreducible polynomials over finite fields. Mathematics of 
Computation, 54(189):435-147, 1990. 

[Sho92] V. Shoup. Searching for primitive roots in finite fields. Mathematics of Computation, 58(197):pp. 369- 
380,1992. 

[SP00] P. W. Shor and J. Preskill. Simple Proof of Security of the BB84 Quantum Key Distribution Protocol. 

Physical Review Letters, 85(2) :441-444, Jul 2000, |arXiv:quant-ph/0 003004 . 

[SR01] R. W. Spekkens and T. Rudolph. Degrees of concealment and bindingness in quantum bit 

commitment protocols. Physical Review A, 65(1):12310, 2001, arXiv:quant-ph/0106019. 

[Sza06] S. Szarek. Convexity, complexity, and high dimensions. In International Congress of Mathematicians, 
volume 2, pages 1599-1621, 2006. 

[Tro04] J. Tropp. Topics in Sparse Approximation. PhD thesis, University of Texas at Austin, 2004. 

[vzGG99] J. von zur Gathen and J. Gerhard. Modern computer algebra. Cambridge University Press, 1999. 

[WF89] W. K. Wootters and B. D. Fields. Optimal state-determination by mutually unbiased measurements. 

Annals of Physics, 191(2):363 - 381, 1989. 

[Win04] A. Winter. Quantum and classical message identification via quantum channels. In O. Hirota, editor, 
Festschrift "A. S. Holevo 60", pages 171-188. Rinton Press, 2004. Reprinted in Quantum Inf. Comput. 
4(6&7):563-578, 2004, |arXiv:quant-ph/0401060| 

[WW10] S. Wehner and A. Winter. Entropic uncertainty relations — a survey. New Journal of Physics, 12:025009, 
2010, |arXiv:0907.3704| 



47 



